We are using distributed search groups ( http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Distributedsearchgroups ).
We have 2 sets of indexers. Index group A and index group b.
We have a config similar to the following.
distsearch.conf
[distributedSearch]
servers = indexa_1:8089,indexa_2:8089,indexb_1:8089,indexb_2:8089
[distributedSearch:groupa]
default = true
servers = indexa_1:8089,indexa_2:8089
[distributedSearch:groupb]
servers = indexb_1:8089,indexb_2:8089
[distributedSearch:all]
servers = indexa_1:8089,indexa_2:8089,indexb_1:8089,indexb_2:8089
I am finding that if I check /opt/splunk/var/log/splunk/remote_searches.log on indexb_1 or indexb_2 I can see certain searches from this search head hitting them when they shouldn't.
These particular searches do not have splunk_server_group=groupb or splunk_server_group=all in the query.
They do all seem to have "presummarize" or "scheduler" in their search. I'm not seeing interactive search sessions though.
Do distributes search groups only stop searches from interactive searches?
This seems like a hole/bug.
↧