Deployment Architecture

How to configure multisite clustering without search head affinity?

my2ndhead
SplunkTrust
SplunkTrust

What is the correct way to disable search-head affinity in a multi-site cluster configuration?

renems
Communicator

You're right; there's no such thing as a "search affinity = disabled" switch.
However in splunk 6.3+ there is a supported way to turn it off, though, by indeed setting your search heads to a site that doesn't exist in your indexer cluster.

Modify your (search head) site (in $SPLUNK_HOME/etc/system/default/server.conf) to site=site0 to "disable" search affinity.

You can read all about it here: http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/DeploymultisiteSHC

jmallorquin
Builder

Hi,

After configure site=site0 in server.conf all the search head says error invalid site.
Is needed other configuration to disable search affinity?

Thanks,

0 Karma

renems
Communicator

Did try this myself, and works like a charm. Away is the latency for synchronization between sites. All you have to do is edit the site=site0 in $SPLUNK_HOME/etc/system/default/server.conf.
Don't forget to restart your search heads.

0 Karma

dxu_splunk
Splunk Employee
Splunk Employee

site=site0 disables site affinity in splunk 6.3+ 🙂
can you edit your answer to reflect that, and lets try to get it to the top

0 Karma

matthieu_araman
Communicator

Hello,

one solution I was told should work is to create a specific site id for your search heads
this way, every indexers appears in a remote site and all are used, which is in fact like having disabled search affinity.
I should be able to validate it in the future but I'm interested if anybody already did it that way.

mikaelbje
Motivator

Where did you get this information from? I have a case where this might be required. It would be great to know whether it's supported.

0 Karma

matthieu_araman
Communicator

indirectly but from a thrusworthy source. I don't see why it would not be supported as it's just a multisite splunk deployment with some thinking on top of it.
I will use this config but haven't yet been able to test it yet for mainly planning reasons.

0 Karma

johnstetter
Explorer

Any luck in getting this configuration working?

0 Karma

dxu_splunk
Splunk Employee
Splunk Employee

Theres currently no way to turn off search affinity

martin_mueller
SplunkTrust
SplunkTrust

Edit: Not quite correct, apparently 😞

Judging by this: http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Multisitesearchaffinity#Implement_search_a...

You must explicitly specify the sites that require search affinity.

I'd say you get no search affinity if you don't explicitly specify any site in your site rep/search factors... for example, if you have three sites and want a copy in every site but no search affinity you'd specify this:

origin:1, total:3

As opposed to the search affinity for everyone version:

origin:1, site1: 1, site2: 1, site3: 1, total: 3
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Bummer... does that mean there is no way to turn off search affinity?

0 Karma

dxu_splunk
Splunk Employee
Splunk Employee

This isn’t quite correct.

Search affinity is automatically set whenever a site has a searchable copy. There are two ways to get a site to have searchable copies of a bucket:

1 explicit: site_search_factor: … site2:1 …
This explicitly sets a searchable copy onto site2, so that a search with site2 will get all events from indexers of site2 (since site2 contains a full set of searchable buckets)

2 implicit: site_search_factor: origin:1 total:3 and 3 sites total
Since we have 3 sites, and total set to ‘3’, we will spread out 3 copies amongst 3 sites, so that each site will have a searchable copy. This means that all sites will have search affinity
Also see http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Sitereplicationfactor#What_is_a_site_repli..., the section that starts with "Because the total value can be greater” ...

Will update the docs with regards to this shortly...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...