Solved: distributed search both ways?

dhaffner · ‎05-05-2010

Is it possible to have indexer A distribute to indexer B and have B distribute to A? What are the settings for it. Just trying to set it up via the GUI, it all seems OK, but B cannot see any events on A. Thanks for any help!

sideview · ‎05-05-2010

Have you checked whether the same field extractions exist on both servers?

In distributed search the search-time knowledge that gets used is solely on the search head. so if the field extractions/lookups/eventtypes etc are different, you will get different results, and if your search uses one of the missing items, frequently 0 results.

View solution in original post

sideview · ‎05-05-2010

Have you checked whether the same field extractions exist on both servers?

In distributed search the search-time knowledge that gets used is solely on the search head. so if the field extractions/lookups/eventtypes etc are different, you will get different results, and if your search uses one of the missing items, frequently 0 results.

dhaffner · ‎05-06-2010

Perfect! this worked out great! Thank you very much!

gkanapathy · ‎05-05-2010

Yes. You just set it up twice, repeating the steps on each side.

dhaffner · ‎05-05-2010

Any ideas why it doesn't work? We've done it on 2 other indexers with no problems. Where do we start looking?

dhaffner · ‎05-05-2010

That's what we have done, but it is only working one way, not both.

distributed search both ways?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases