Splunk® Enterprise

Distributed Search

Download manual as PDF

Download topic as PDF

Quarantine a search peer

You can quarantine a search peer to prevent it from partaking in future searches. This is of value if the peer is experiencing problems, for example, due to a bad disk or network card. It can also be useful to quarantine a search peer while you upgrade it.

By quarantining, instead of stopping, a bad search peer, you can perform live troubleshooting on the peer.

You can override a quarantine for a specific search, if necessary. See How to override a quarantine.

What happens when you quarantine a search peer

When you quarantine a search peer, you prevent it from taking part in new searches. It continues to attempt to service any currently running searches.

The quarantine operation affects only the relationship between the search peer and its search head. The search peer continues to receive and index incoming data in its role as an indexer. If the peer is a member of an indexer cluster, it also continues to replicate data from other peer nodes.

If you need to fully halt the activities of the indexer, you must bring it down.

How to quarantine a search peer

To quarantine a search peer, run this CLI command from the search head:

splunk edit search-server -auth <user>:<password> <host>:<port> -action quarantine

Note the following:

  • Use the -auth flag to provide credentials for the search head only.
  • <host> is the host name or IP address of the search peer's host machine.
  • <port> is the management port of the search peer.

For example:

splunk edit search-server -auth admin:password 10.10.10.10:8089 -action quarantine

In a search head cluster, this command affects only the search head that it is run on. To quarantine a peer for all cluster members, you must run this command on each member.

You can also quarantine a search peer through the Search peers page on the search head's Splunk Web. See View search peer status in Settings.

How to unquarantine a search peer

To remove a search peer from quarantine, run this command from the search head:

splunk edit search-server  -auth <user>:<password> <host>:<port> -action unquarantine

Note the following:

  • Use the -auth flag to provide credentials for the search head only.
  • <host> is the host name or IP address of the search peer's host machine.
  • <port> is the management port of the search peer.

For example:

splunk edit search-server -auth admin:password 10.10.10.10:8089 -action unquarantine

How to override a quarantine

When a peer is quarantined, it does not ordinarily participate in searches. You can, however, override the quarantine on a search-by-search basis. To do so, the search must target the peer directly with the splunk_server field. For example:

index=_internal splunk_server=idx-tk421-03 (log_level=WARN OR log_level=ERROR)

Note: If the peer is a member of a distributed search group, you cannot override the quarantine by specifying the splunk_server_group field of its search group. You must specify the peer directly with the splunk_server field.

PREVIOUS
Handle slow search peers
  NEXT
Search head pooling configuration issues

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.6.0, 6.6.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters