Splunk Search

Hybrid Search not working in Splunk Cloud "The searchhead is unable to update the peer information. Error = 'Master has multisite enabled but the search head is missing the 'multisite' attribute' for master"

khourihan_splun
Splunk Employee
Splunk Employee

When I join the Hybrid Search Head to Cloud clustermaster I get this error.

The searchhead is unable to update the peer information. Error = 'Master has multisite enabled but the search head is missing the 'multisite' attribute' for master

What gives?

Tags (1)
0 Karma
1 Solution

khourihan_splun
Splunk Employee
Splunk Employee

This is because Splunk Cloud has multi-site enabled.
To fix that you should run this command on the SH on your laptop from the bin folder:

splunk edit cluster-master https://c0m1.example.splunkcloud.com:8089 -site site0

Splunk Cloud uses sites 1-3, so make sure you pick <1 >3

View solution in original post

0 Karma

woodcock
Esteemed Legend

I finally figured this out. The problem is that there is a bug in the error logic and the text is completely wrong! What it should say is something like

Error = Master has multisite enabled but the search head is missing the 'multisite' or any 'site=' attribute

In my case, it was the site=site1 that was missing. When I added this, it fixed the problem. Running this command will fix this because it will add site=site to server.conf, not because it changes anything with multisite:

splunk edit cluster-config -mode searchhead -site site1 -master_uri https://xx.xxx.xx.xxx:808

However you should not be configuring clusters through the CLI or GUI into /opt/splunk/etc/system, you should be configuring them through the configuration files, which is why I am pointing out the true nature of the problem and the right way to fix it.

0 Karma

khourihan_splun
Splunk Employee
Splunk Employee

This is because Splunk Cloud has multi-site enabled.
To fix that you should run this command on the SH on your laptop from the bin folder:

splunk edit cluster-master https://c0m1.example.splunkcloud.com:8089 -site site0

Splunk Cloud uses sites 1-3, so make sure you pick <1 >3

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...