Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search head and indexer connectivity

Mag2sub
Path Finder
‎04-21-2014 09:43 PM

We have set up alerting searches with continuous scheduling from a search head with 2 peers
Soemtimes the search head loses connectivity with one of the peers
In this circumstance how does continuous scheduling work ..if it misses connectivity with one peer during a alerting search ...how do we safeguard against such circumstances ?

Apprecate inputs

Tags (1)
0 Karma
Reply

MuS
Legend
‎04-24-2014 12:13 AM

Hi Mag2sub,

if your scheduled saved searches are configured to send alert emails you will get an email containing something like this:

-- Search generated the following messages -- 
Message Level: WARN
1. Unable to distribute to peer named <index-server> at uri https://<index-server>:<someportnumber>; because .....

In this case you would know about the condition you are describing.
You can also check out this answer the see a way to sent this kind of alert to a different recipient 😉

Best practice on the other hand would be to eliminate your cause for the errors.

hope this helps ...

cheers, MuS

0 Karma
Reply

Mag2sub
Path Finder
‎05-09-2014 07:49 AM

$6 just hits the jobs results endpoint ..which does not indicate any error neither $8 ...

0 Karma
Reply

MuS
Legend
‎04-24-2014 04:54 AM

ok, did you test SPLUNK_ARG_6 and / or SPLUNK_ARG_8 within your script? ARG_6 is an URL which could be loaded by your script and the parse the results or ARG_8 is the file system link to the result file which can be read by your script and be parsed for any errors.

0 Karma
Reply

MuS
Legend
‎04-24-2014 03:27 AM

pls hold the line and let me do some research. I know there is a way to do this as well in scripted alerts 😉

0 Karma
Reply

Mag2sub
Path Finder
‎04-24-2014 02:16 AM

We have a scripted alert and it does not get these from splunk ..it gives normal output ie normal arguments are passed and no error ...so i dont think this works for us

0 Karma
Reply

linu1988
Champion
‎04-23-2014 05:09 AM

status will always be success, if you can't get an instance or reproduce how do you want to test the alert? More often than not you will get an banner on splunkweb if there is an disconnection to search peer. then you know there must be some connectivity or indexer issue.

0 Karma
Reply

Mag2sub
Path Finder
‎04-23-2014 03:45 AM

Unfortunately there is no error in the scheduler for scheduled search ...its says staus=success which is mileading

0 Karma
Reply

linu1988
Champion
‎04-22-2014 05:27 AM

yes it will help if you have any error during the search. Use SOS app for monitoring the error trigger an alert. If it happens during a search it can't be avoided.

0 Karma
Reply

Mag2sub
Path Finder
‎04-22-2014 02:11 AM

1 Im looking for a way to safeguard against idx to SH connectivity loss during search time...how does a search work in that context

2 Connectivity loss message can be seen in the idx that was disconnected to SH
im looking to see how we can ensure seraches are not incomplete because of the loss of idx--sh connection..does continuous scheduling help ?

0 Karma
Reply

linu1988
Champion
‎04-21-2014 10:56 PM

how do you come to know that? Does it show in the search result in the mail?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...