Splunk Search

How to configure search affinity in a multisite clustering ?

alexandre_ouoto
Explorer

Hello Everyone,

I am having trouble with a multisite configuration(version 6.3), i have two sites :

site 1 : 1 master node, 1 search Head, 2 indexers
site 2 : 1 search head, 2 indexers

The multisite configuration is ok but i have issue with the search affinity. the goal is to be able to access to all cluster data with the search head on site 1 and only in local data on the site 2 search head.

This is my configuration on master node

[general]
pass4SymmKey = passkey
serverName = masternode
site = site1

[clustering]
mode = master
pass4SymmKey = passkey
replication_factor = 2
available_sites = site1,site2
multisite = true
site_replication_factor = origin:2,total:2
site_search_factor = origin:2,total:2

This is my configuration on search head site 1

[general]
pass4SymmKey = passkey
serverName = searchHead1
site = site0

[clustering]
master_uri = clustermaster:masternode:8089
mode = searchhead

[clustermaster:masternode:8089]
master_uri = https://masternode:8089
multisite = true
pass4SymmKey = passkey

This is my configuration on search head site 2

[general]
pass4SymmKey = passkey
serverName = searchHead2
site = site2

[clustering]
master_uri = clustermaster:masternode:8089
mode = searchhead

[clustermaster:masternode:8089]
master_uri = https://masternode:8089
multisite = true
pass4SymmKey =passkey

This is my configuration on indexer 1 and 2 on site 1

[general]
pass4SymmKey = passkey
serverName = indexer
site = site1

[clustering]
master_uri = https://masternode:8089
mode = slave
pass4SymmKey = passkey

This is my configuration on indexer 1 and 2 on site 2

[general]
pass4SymmKey = passkey
serverName = indexer
site = site2

[clustering]
master_uri = https://masternode:8089
mode = slave
pass4SymmKey = passkey

Regarding the doc, i have to set site0 to disable the search affinity and set siteX to enable only local search.
The issue is with this configuration it's exactly the opposite, the search head on site 1 can see only local data and the search head on site 2 can see every data.

Anyone knows what wrong with my configuration? thanks for your help

dxu_splunk
Splunk Employee
Splunk Employee

just a heads up,

site_replication_factor = origin:2,total:2

sets it so that all your data is local to its original site. so a bucket created on site1 will not get replicated to site2. what you want is probably

site_replication_factor = origin:1,total:2

and the same for site_search_factor with the same searchhead configuration (site0 on site1 SH, site2 on site2 SH).

as for your observed problem, do you have a lot of buckets? is this a migrated cluster from non-multisite?

0 Karma

alexandre_ouoto
Explorer

Hi dxu,

Yes it's desire that i want the data remains on their site. But it does not prevent a search head from another site to access it?

Originally site 1 was a simple cluster indexer, i turned it multisite and joined site 2.

0 Karma

dxu_splunk
Splunk Employee
Splunk Employee

a searchhead, regardless of site, will always search all indexers. multisite affinity is simply returning as much data as possible from the local site. with your data staying on the local site, a search from site1 will always get results from site2, and site2 searches will always get results from site1 (since there are buckets that only exist on one site and not another).

have your site2 indexers index any data / created any buckets? a site0 search must be getting site2 events if there are buckets on site2 that only exist on site2...

0 Karma

alexandre_ouoto
Explorer

At the begining, site 2 was empty, so any buckets were tag with site 2, if I follow your reasoning, normally search head on site 2 will not return site 1 result? Data on site 1 indexer were always tagged site 1 and on site 2 indexer always tagged site 2.
If i understand, if I want to have the desired operation, buckets on each site must be only on their site?
My site configuration is good right ?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...