Solved: Metrics index in index cluster not searchable

las · ‎06-06-2019

Hi.

I have a setup on Splunk 7.2.4 with a search head, that searches both an index-cluster and a standalone indexer.
I have deployed splunk-add-on-for-infrastructure_131 on both the index-cluster and the standalone indexer.
I have deployed splunk-app-for-infrastructure_131 on the search-head.

When I try to use SAI on the search head I only get results from the standalone indexer not from the Cluster.

This is my first experience with metric indexes so I'm not sure if there has to be some special considerations when using a index-cluster. Other data is searchable in this setup, so the connection is in order between the search-head and the indexcluster.

Can anyone please help getting the clustered data available in the search head?

The index is on the indexcluster, and on the Clustermaster I can see it has some data in it (5 bucket 0.03 GB, 2.8M events on one of the indexers).

Kind regards
las

las · ‎06-20-2019

There was no problems with the searching of the data.
The problem was with the metric-name, where the props somehow didn't set the first part of the name (process....) so SAI didn't pick up, that there was any data in the index.
This is probably some inconsistency with Splunk Add-on for Windows infrastructure.

View solution in original post

las · ‎06-20-2019

There was no problems with the searching of the data.
The problem was with the metric-name, where the props somehow didn't set the first part of the name (process....) so SAI didn't pick up, that there was any data in the index.
This is probably some inconsistency with Splunk Add-on for Windows infrastructure.

Metrics index in index cluster not searchable

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases