General troubleshooting issues
Clock skew between search heads and search peers can affect search behavior
You must keep the clocks on your search heads and search peers in sync, via NTP (network time protocol) or some similar means. If the clocks are out-of-sync by more than a few seconds, you can end up with search failures or premature expiration of search artifacts.
Searches can fail if configurations in a knowledge bundle have not yet been replicated to search peers
Configuration changes can take a short time to propagate from search heads to search peers. As a result, during the time between when configuration changes are made on the search head and when they're replicated to the search peers (typically, not more than a few minutes), distributed searches can either fail or provide results based on the previous configuration.
Types of configuration changes that can cause search failures are those that involve new apps or changes to
authorize.conf. Examples include:
- changing the allowed indexes for a role and then running a search as a user within that role
- creating a new app and then running a search from within that app
Any failures will be noted in messages on the search head.
Types of changes that can provide results based on the previous configuration include changing a field extraction or a lookup table file.
To remediate, run the search again.
Network problems can reduce search performance
A 6.x search head by default asks its search peers to generate a remote timeline. This can result in slow searches if the connection between the search head and the search peers is unstable.
The workaround is to add the following setting to
limits.conf on the search head :
[search] remote_timeline_fetchall = false
After making this change, you must restart the search head.
Use the DMC to view distributed search status
Handle slow search peers
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13