Internet Computer Mobile Games

Distributed searches, search head clustering -- duplicate servers and inability to establish a common bundle version

Hi all, I've been setting up a search head cluster and have run into a few problems. One of my search peers has a five-second delay when searching and gives the following error: `WARN ISplunkDispatch - Gave up waiting for the captain to establish a common bundle version across all search peers; using most recent bundles on all peers instead`` Having taken a look at the forum, it says that this is an issue where the serverlist in distsearch.conf is not the same for all search peers. They were right -- it had all the other peers, but not itself, so, for example, it looked like this on server one: `[distributedSearch] servers = search-head-2.local:8089,search-head-3.local:8089,search-head-4.local:8089`` So I changed the config to look like this: `[distributedSearch] servers = search-head-1.local:8089,search-head-2.local:8089,search-head-3.local:8089,search-head-4.local:8089`` which then causes the following error message to appear: `WARN DistributedPeerManager - Unable to distribute to peer named search-head-4.local at uri https://search-head-4.local:8089 because peer has status = "Duplicate Servername".`` However much I restart, change the config, or fiddle around with it, I still can't get one of the search peers (specifically number four) to stop this delay. I know that it can contact the captain for new bundles as a put a new app in $SPLUNK_HOME/etc/shcluster on the deployment server and it distributed it to all cluster members when I applied an shcluster-bundle. Does anyone have any insight into this? Thank you in advance Regards, Alex

Top similar posts to Distributed searches, search head clustering -- duplicate servers and inability to establish a common bundle version

Search head cluster hybrid search error : "Gave up waiting for the captain to establish a common bundle version..."

I'm trying to migrate to a fully clustered environment so i'm trying out hybrid search as a bridge to getting fully clustered. 5x Search head cluster 6.2.1 6x Dist search index members 6.2.1 1x Index cluster master 6.2.1 1x Cluster peers 6.2.1 When performing a search on a search head I get 02-24-2015 14:39:08.539 +1100 WARN ISplunkDispatch - Gave up waiting for the captain to establish a common bundle version across all search peers; using most recent bundles on all peers instead This...

Accelerated Saved Searches in Search Head Clustering (Accelerated Reports)

I have deployed a distributed environment in just one site (no multisite), using the Splunk Enterprise version **6.2.0**, and RHEL 6.5 as Operating System. The distributed deployment consists on 3 Search Heads (**SH**), 3 Indexers (**IN**), 1 Cluster Master (**CM**) and 1 Universal Forwarder (**UF**). I have configured the Indexers in "cluster" mode (exactly in the same way in which I have done before on version 6.1.3). No problem in this part, all is working fine. I have done several tries f...

If search head clustering can use "commodity" hardware, is there any reason I can't cluster 10 cpu servers to meet search requirements?

I have a question about using search-head clustering. If it can truly use "commodity" hardware, is there any reason that I can't cluster together a bunch of 4 cpu servers, to meet my search requirements? I find that Splunk uses the term "commodity" hardware very loosely. Why couldn't I have 10 servers, for example, providing the search-head clustering capability?...

Why did my dashboards disappear after upgrading to Search Head Clustering?

After I moved all my apps to my new Search Head Cluster per the documents, I am getting the following when going to my app: "Splunk cannot find the view 'homepage' " However, the app was copied directly from a working search head, the XML is there, the permissions are correct. None of the views can be seen in either the web UI or via the manager. What is going wrong?...

When will Search Head Clustering be enabled for Windows?

I was really looking forward to getting rid of search head pooling. Been a thorn in my side since implementing splunk. Is it coming in a 6.2. dot release or 6.3?...

How to create and share users on Splunk 6.2 Search Head Clustering

How can I create user/roles to be shared between Search Heads on a Splunk 6.2 Clustering deployment?...

Search Head Pooling to Search Head Clustering Migration

As of Splunk 6.2, I see that search head pooling has been deprecated so I need to consider changing course from the infrastructure we've already embarked upon and think about how do I go from pooling to clustering for search heads. Right now the SH pooling I'm doing is pretty light but poised to be expanded. The most we have is 2 pooled servers behind a load balancer. I see there's different Splunk configuration (expected) and it appears that the requirement for NFS storage goes away. In te...

How to configure multisite clustering without search head affinity?

What is the correct way to disable search-head affinity in a multi-site cluster configuration?...

E mail configuration in distributed 2 search head cluster

Hi we have two nodes as search heads , added to the master server . Now my question is that where do i need to configure ad and E mail settings . What i need to do for integrating my companies AD to the splunk for authentication and access control . Also where do i configure e mail settings on master or on individual search heads or indexers ? so alerts can be triggered to the mail ids ....

How to set up search head in Distributed Management Console of master node ?

Hi Splunkers, Distributed Management Console(DMC) is the new feature of Splunk V6.2. http://docs.splunk.com/Documentation/Splunk/latest/Admin/ConfiguretheMonitoringConsole I configured the splunk clustering system - 1 search head, 3 peers, 1 master node - . And I configured outptus.conf in search head as followings. [indexAndForward] index = false [tcpout] defaultGroup = my_search_peers forwardedindex.filter.disable = true indexAndForward = false [tcpout:...

Scheduled searches "lost" between search head and peers

Seeking ideas on how to debug a case of "lost" scheduled searches. Configuration is a search head pool (of 2) and a cluster of peer indexers (2). At the moment, one of the indexers is offline, so all searches are directed at the remaining indexer. An examination of the scheduler.log on the two search heads shows that a scheduled search at :30 each hour is occurring, sometimes executing on one search head, sometimes on the other. A problem arises when an occasional result includes 0 events, tho...

Finding out duplicate saved searches running on pooled search heads

Hi , Below is the scenario: We have 4 search heads in pool.There are multiple saved seaches are running with their schedule on each o f them.But the problem is most of them are duplicates and I want to find out and cancel duplicate once.On each search head there are at least 100 saved searches running.Can you please advice any simple way to identify duplicates and teir status "(i.e. enabled /disabled)? I have tried the REST api but its a little confusing....... Regards, Thezero...

Distributed Search: Can't connect 6.2 search head to 4.3 indexer

I created a new development search head from a different splunk instances. I changed the name of the new dev server in the server.conf and setup distributed search to my 6.x and 4.x indexers. Later I noticed that the log files were still showing up with the first dev server as the host name. I noticed the host name was different in the GUI under splunk>settings>general settings>server settings I changed the "Splunk Server Name" and the "Default host name" and restarted splunkd. This broke th...

Distributed Search: After making a search head also an indexer, why are indexes created on the search head instead found on another indexer?

Stupid question time. I've got a pretty simple setup. Search head, two indexers. Everything works great. Except that my search head is overly resourced for being a search head, and I'd like to add some indexing to it. If I go into the Settings and create an Index, I see the directory appear on the Search Head just fine, usual location, but, as soon as I start actually indexing data, by, say, indexing a file or directory, the data appears on one of my Indexers and NOT on the Search Head. ...

search head clustering

I need plan for a new infra splunk setup. 1TB/day of log volume. The log volume can go up to 2TB/day. Number of concurrent users : >50 Number of concurrent searches: > 100 Product will be deployed on: VMs/physical Search heads:3 /opt/splunk --250GB Indexers: 6 with /splunk/logs 3TB to save hot/warm data Few questions: if my replication factor is 3 so im assuming i need 3 nodes for search head clustering. what is the recommended size of file system need on /opt/splunk on each sea...

Design Apple Development Security Automobile Network Photography Health Money Travel Shopping Issues Operating systems Drivers Software Programming Tech Home Science Sport Solution