Getting Data In

Indexer Cluster & Search Head Indexes.conf

LordLeet
Path Finder

Hey,

I'm setting up an Indexer Cluster and a Search Head for the first time and I'm facing an issue on the Search Head.
I can search the indexes content with the Search Head, but on the Settings>Indexes page I do not have information regarding the Indexes.
I'm not exactly sure how to link the Search Head to the indexes.conf of the peers. If I upload the same indexes.conf to the Search Head they do show up, but as if they were on the Search Head, which then retrieves no useful information.

How can I troubleshoot this?

Thanks in advance!

0 Karma

nls7010
Path Finder

I don't have an answer, just a question. My indexes are also not showing up on the search head cluster, I have an app (XXX-indexes-app) that has the indexes.conf in it, do I need to push it to both the indexers (via the CM) and the search heads (via DC)? I want to make sure the events are being stored on the indexers, but also that the search heads (clustered) have the indexes showing.

0 Karma

Vijeta
Influencer

@woodcock Can you please help with this question. Even I have the question that do indexes.conf on indexers and SH need to be in sync, although all the data is being indexed on indexers. What if I do not update indexes.conf on SH cluster, what impact will it have in terms of indexing or searching?

0 Karma

woodcock
Esteemed Legend

Create a new question, let's not hijack this one.

0 Karma

amitm05
Builder

Hey

If you are able to see the indexes content on the Search Head, this means that your indexers are integrated now with the search head. Copying the Indexes.conf from indexers has nothing to do with the integration of search peers with Search Head.

But if you want to troubleshoot and see all of your indexers are now showing up on search head. You can check the log file Splunkd.log which should be able to tell you if your indexers are able to make a successful connection with the search head.
Additionally, run the below query on your search head
| tstats count by index, host

And check if you are able to see all the indexes that you have created on the indexers.

Hope this helps!

0 Karma

amitm05
Builder

Also, you can check the statuses of your Indexers from the search head by using the following Rest call. Just run this query on Search head -

| rest /services/server/introspection/indexer splunk | fields splunk_server, title, status

This will provide you that which splunk instances are connected as indexing machines with your search head and their respective status as well.

0 Karma

woodcock
Esteemed Legend

Just put the same indexes.conf file that you put on your Indexers in the same place on your Search Head. This also has the added benefit that as you are typing index= in a search bar, the Search Head will be able to do auto-completion for you! This has NOTHING to do with being able to run searches against the Indexers as Search Peers; this is done with distsearch.conf plus pushing your Search Head's trusted.pem file to each Indexer. This process is automated by adding peers with Settings -> Distributed search -> Search peers -> New.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...