Splunk Search

Search head not fetching data properly from search peers

lksridhar
Explorer

Hi Folks,

We are facing some issue in our environment is search head(6.2) is not fetching data properly from search peers, means we have two search head with different version, SH1 (6.2 version) fetching 3000 event from search peers and SH2(version 6.6) fetching 7000 events from search peer and there is data mismatch between the SH.

We have indexer clustering and standalone indexer, indexer cluster search peer version is 6.2 and standalone indexer version is 6.6

Why the SH1 is not fetching data properly from peers, due to the compatibility between the Splunk version it is not fetching data properly,

Please let me know if i need to change any configuration files changes to fetch the data properly.

0 Karma

maraman_splunk
Splunk Employee
Splunk Employee

As you have a indexer running 6.6, you'll need to upgrade your 6.2 SH to 6.6 to be in a supported configuration.
Currently your 6.2 SH has problem talking with the 6.6 IDX, which explain the difference in your results.
As a rule of thumb, SH>=IDX version

see http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Distsearchsystemrequirements for more info

0 Karma

lksridhar
Explorer

Thanks maraman for the info, we are getting logs properly from standalone indexer which have higher version but not getting proper logs from indexer cluster peer which have same version. is there any cluster issue.

0 Karma

adonio
Ultra Champion

try ... | stats count by splunk_server
to see where is the gap exactly.
as rule of thumb, Search Head has to have newer version than Indexer

0 Karma

lksridhar
Explorer

Thanks adonio for replay, i checked the query on two different version search head and it is showing different result.

The SH1 (version 6.2) showing total event count less compared to SH2 (version 6.5) and indexer version 6.2.3

what would be the issue, why Total event count showing less in SH1 compared to 6.5 SH2

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...