Deployment Architecture

Multisite Cluster Search Heads an Knoweldge Objects

laithmurad
Path Finder

I'm testing multisite cluster that contains two sites with the following setup:

  • A server for the master node in site1
  • A peer in each site
  • A search head in each site.

Does the cluster take care of syncing knowledge objects created via the web interface? How? I tried creating a report while logged on in site2, but site1's search head didn't pick that up. Is that normal? If yes, how am I supposed to keep knowledge objects in sync while different users are creating reports/alerts/...

I've gone through the multisite cluster documentation, couldn't find any reference for knowledge objects and search heads.

Thanks.

mahamed_splunk
Splunk Employee
Splunk Employee

Multisite Clustering provides HA/DR at the indexer layer. The knowledge object lives in search head layer, so it is not synced or controlled by the multisite clustering. In order to sync knowledge objects you need to manually sync it using rsync or use SHP (Search Head Pooling).

To answer your other question, the status is not met because you don't have enough peers to meet the legacy replication factors. Use the following configs

sitereplication_factor= origin:1,
total:2

sitesearch_factor = origin:1, total:2

replication_factor = 1

search_factor = 1

0 Karma

laithmurad
Path Finder

@mahamed_splunk, are you sure about sitting replication_factor and search_factor to 1? I got it working with 2 now which makes more sense for my case.

0 Karma

laithmurad
Path Finder

thank you @mahamed_splunk that was really helpful, that fixed the "not met" state, I was aware of this but thought 2 would be the correct setting not 1. Can you point me to the proper way of doing this with rsync?

0 Karma

laithmurad
Path Finder

I should also mention that the cluster master clustering dashboard is saying that replication and search factor are NOT met, but its also saying that the number of searchable peers and indexes are 2, and 0 not not searchable.
I have this setting for both factors origin:1,site1:1,site2:1,total:2, and all peers and search heads have joined and up.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...