Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why isn't my index available for search in a distributed search environment?

rubeniturrieta
Communicator
‎09-07-2015 11:19 AM

Hi to everyone

I have a "Distributed Environment", with two indexers, and two search heads.
In the Master Node Indexer, I have an index called ftp, with a lot of data (I want this data available for distributed search). I've deployed "indexes.conf" to "search peers", and I can see the ftp index created in the search peer, but I can't see any data.

What can i do for have this data available for distributed search?

Regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dxu_splunk
Splunk Employee
Splunk Employee
‎09-07-2015 02:47 PM

2 possibilities 1) theres no data in your index (the index is not visible until there are buckets) 2) repFactor=auto wasn't set for the index (that sets the index to be a clustered index, see the indexes.conf.spec file)

see http://answers.splunk.com/answers/170721/why-cant-i-see-non-internal-indexes-in-cluster-mas.html#ans...

View solution in original post

Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎09-08-2015 10:11 AM

If you're working in a distributed environment, you need to create the index in the Cluster Master, under the master-apps, and then push that to all the cluster members.

Quick way to check this is to validate the existence of the index on all the cluster members. If you created this on one indexer, you're calling the master node, in the GUI under indexes, that wont replicate the index or the buckets to the other indexers.

Reply
Solved! Jump to solution

rubeniturrieta
Communicator
‎09-08-2015 12:05 PM

And how can i create the index in the Cluster Master under the master-apps?, i've copied the search app folder in the master-apps folder, and then push it, but i think that something is wrong with that.

0 Karma
Reply
Solved! Jump to solution
Solution

dxu_splunk
Splunk Employee
Splunk Employee
‎09-07-2015 02:47 PM

2 possibilities 1) theres no data in your index (the index is not visible until there are buckets) 2) repFactor=auto wasn't set for the index (that sets the index to be a clustered index, see the indexes.conf.spec file)

see http://answers.splunk.com/answers/170721/why-cant-i-see-non-internal-indexes-in-cluster-mas.html#ans...

Reply
Solved! Jump to solution

rubeniturrieta
Communicator
‎09-08-2015 12:07 PM

1) There's a lot of data in my index
2) repFactor is set in my index (SPLUNK_HOME/etc/apps/search)

0 Karma
Reply
Solved! Jump to solution

dxu_splunk
Splunk Employee
Splunk Employee
‎09-08-2015 12:20 PM

is it set for the indexers or the cluster master? (it needs to be set on all the indexers)

0 Karma
Reply
Solved! Jump to solution

dxu_splunk
Splunk Employee
Splunk Employee
‎09-08-2015 12:22 PM

http://docs.splunk.com/Documentation/Splunk/6.2.5/Indexer/Migratenon-clusteredindexerstoaclustereden...

if its migrated from non-clustering, the old buckets will not replicate

Reply
Solved! Jump to solution

rubeniturrieta
Communicator
‎09-08-2015 12:32 PM

Yes, you are right, is migrated from non-clustering.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...