Re: How to debug why a change in the Search Head C...

nwales · ‎08-03-2015

We have an every minute summary indexing job which runs happily looking at data from a few minutes ago.

If we push a config out causing a captain change, we have seen twice in a row now that the new captain is looking at data 4 days ago. If we restart that instance and the original instance takes over, then it goes back to looking at the present time.

Last time this happened, we had to cycle through all three instances before we got back to the original. The second instance was running about 6 minutes behind, which, while not as bad, causes us duplicate information.

SH1 = currenty
SH2 = -6m
SH2 = -4days

The summary job does the right thing and attempts to backfill the data, but clearly this is not the behavior we are looking for.

What should I be looking for to start debugging this?

gustavomichels · ‎08-03-2015

What version are you using? 6.2.4 included a fix for summary searches (SPL-99279 - http://docs.splunk.com/Documentation/Splunk/6.2.4/ReleaseNotes/6.2.4) which might be related.

nwales · ‎08-03-2015

That might help, we've seen that issue separately but if the scheduler has been tightened up then it might help here too.

Currently we're on 6.2.3

How to debug why a change in the Search Head Cluster Captain causes summary indexing jobs to look for data in the past?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio