Splunk Search

Distributed search groups not actually filtering searches

Lucas_K
Motivator

We are using distributed search groups ( http://docs.splunk.com/Documentation/Splunk/6.4.2/DistSearch/Distributedsearchgroups ).

We have 2 sets of indexers: index group A and index group b.

We have a config similar to the following.

distsearch.conf
[distributedSearch]
servers = indexa_1:8089,indexa_2:8089,indexb_1:8089,indexb_2:8089

[distributedSearch:groupa]
default = true
servers = indexa_1:8089,indexa_2:8089

[distributedSearch:groupb]
servers = indexb_1:8089,indexb_2:8089

[distributedSearch:all]
servers = indexa_1:8089,indexa_2:8089,indexb_1:8089,indexb_2:8089

I am finding that if I check /opt/splunk/var/log/splunk/remote_searches.log on indexb_1 or indexb_2 I can see certain searches from this search head hitting them when they shouldn't.

These particular searches do not have splunk_server_group=groupb or splunk_server_group=all in the query.
They do all seem to have "presummarize" or "scheduler" in their search. I'm not seeing interactive search sessions though.

Do distributed search groups only stop searches from interactive searches?

This seems like a hole/bug.

0 Karma

peterchenadded
Path Finder

We are seeing this issue for accelerated datamodels.

For other types of searches we were able to get around them by quarantining servers.

For accelerated datamodels it seems to be ignoring all the rules as shown below:

04-05-2018 21:32:33.384 INFO SearchProcessor - Search targeting info not set on processor presummarize. Will contact all peers by default
04-05-2018 21:32:33.384 INFO DistributedSearchResultCollectionManager - Connecting to peer HOST1 connectAll 0 connectToSpecificPeer 1

Anyone else have any luck with this?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...