Solved: Re: How to resolve error "Error pulling configurat...

mintughosh · ‎04-28-2017

I am getting the error "Error pulling configurations from the search head cluster captain; consider performing a destructive configuration resync on this search head cluster member"

I tried to run the following command

# splunk resync shcluster-replicated-config

but i am getting the error "Cannot resync_destructive: this instance is the captain"

I then tried to perform the rolling restart among search head cluster, run the following command

# splunk rolling-restart shcluster-members

But still I am getting the error "Error pulling configurations from the search head cluster captain"
I also ran splunk resync shcluster-replicated-config after rolling-restart.
But still not fix. and I am getting above errors

Please suggest a fix

mintughosh · ‎04-28-2017

I am not getting the error now. I followed the below given action -

stop the splunk on captain.
deleted the files and directories under splunk/var/run/ after taking backup
started the splunk on the search head.
ran the resync command.

I have performed the above action 1 hour from now. I have not received any error as of now.

View solution in original post

ridwanahmed · ‎02-25-2020

Can someone please explain why this is an issue/ why deleting var/run is the best solution?

ridwanahmed · ‎02-25-2020

Found much of this answer reading @lguinn 's comment on https://answers.splunk.com/answers/454262/how-do-i-fix-splunk-resync-shcluster-replicated-co.html

joesrepsolc · ‎11-18-2019

Jut ran into this issue today after a big maintenance window this past week with lots of changes. This worked GREAT. Thank you everyone for the contributions. Awesome stuff!

bandit · ‎11-09-2018

Running Splunk 7.1.1

the manual/destructive resync on the cluster member having the error corrected the issue for our cluster.

splunk resync shcluster-replicated-config

ktwingstrom · ‎05-02-2019

This worked for me! Thanks!

linhmai_bne · ‎03-16-2020

This worked for me. Tks

mintughosh · ‎04-28-2017

I am not getting the error now. I followed the below given action -

stop the splunk on captain.
deleted the files and directories under splunk/var/run/ after taking backup
started the splunk on the search head.
ran the resync command.

I have performed the above action 1 hour from now. I have not received any error as of now.

mcazacu · ‎10-20-2020

Works on one of the members as well. I had a replication issue with one of the members, did the steps outlined here (on the member, not the captain) and it fixed it!

Thanks! @mintughosh ! 🙂

dineshraj9 · ‎04-28-2017

Try transferring captain to another node and then perform resync.

https://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/Transfercaptain#Change_the_captain

If this doesn't work, then restart the captain node and check.

How to resolve error "Error pulling configurations from the search head cluster captain"?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...