A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?
A.
Update the user in Splunk web informing them that the results of their search may be incomplete.
B.
Repeat the search request on indexer B without informing the user.
C.
Update the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.
D.
Inform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.
This is explained in the Splunk documentation1, which states:
If an indexer goes down during a search, the search head notifies you that the results might be incomplete. The search head does not attempt to re-run the search on another indexer.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit