I'm facing an everyday problem with my customers peers. Every single day the peer goes down about 20 times. We use this ditribute search peer to get data from our costumers splunk. Every time that the peer goes down, we disable and enable the peer and it begins to work again.
I looked up the logs to see what i could find, but nothing really usefull.
=================================================
Audit log if we delete the peer manually:
{query}
index=_audit* user="vandrade" action=edit_dist_peer operation=remove
Result:
7/22/19
12:50:29.462 PM
Audit:[timestamp=07-22-2019 12:50:29.462, user=vandrade, action=edit_dist_peer, info=granted object="192.168.100.246:8089" operation=remove][n/a]
source = audittrail sourcetype = audittrail user = vandrade
===================================================
Search Audit log for the unwanted auto-deleted peer:
{query}
index=_audit* user="service_prtg" action=edit_dist_peer
Results:
(They're all the same)
Audit:[timestamp=07-22-2019 17:54:27.679, user=service_prtg, action=edit_dist_peer, info=granted object="10.1.1.90:8089" operation=list][n/a]
action = edit_dist_peer source = audittrail sourcetype = audittrail user = service_prtg
===========================================================
If i use the operation ="remove" at the second query i'll get no result, altought, if the script run several times, the peer get deleted and generate no logs of it.
... View more