Documentation > Splunk > Admin Manual > Use distributed search

Admin Manual

 


Welcome
What to do first
Start Splunk
Meet Splunk Web and Splunk Apps
Before you configure
Add data and configure inputs
Indexing and event processing
Timestamps
Add and manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Set up forwarding and receiving
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

Use distributed search

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Use distributed search

From the user standpoint, specifying and running a distributed search is essentially the same as running any other search. Behind the scenes, the search head distributes the query to its search peers and consolidates the results when presenting them to the user.

Your users do not have the ability to specify which search peers participate in a search. They do need to be aware of the distributed search configuration to troubleshoot.

Perform distributed searches

In general, you specify a distributed search through the same set of commands as for a local search. However, Splunk provides several additional commands and options to assist with controlling and limiting a distributed search.

A search head by default runs its searches across all search peers in its cluster. You can limit a search to one or more search peers by specifying the splunk_server field in your query. See Search across one or more distributed servers in the User manual.

The search command localop is also of use in defining distributed searches. It enables you to limit the execution of subsequent commands to the search head. See the description of localop in the Search Reference for details and an example.

In addition, the lookup command provides a local argument for use with distributed searches. If set to true, the lookup occurs only on the search head; if false, the lookup occurs on the search peers as well. This is particularly useful for scripted lookups, which replicate lookup tables. See the description of lookup in the Search Reference for details and an example.

Troubleshoot the distributed search

This table lists some of the more common search-time error messages associated with distributed search:

Error message Meaning
status=down The specified remote peer is not available.
status=not a splunk server The specified remote peer is not a Splunk server.
duplicate license The specified remote peer is using a duplicate license.
certificate mismatch Authentication with the specified remote peer failed.
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.6/Admin/Usedistributedsearch"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!