Deployment Architecture

Are multisite primary buckets concurrently searchable by a search head cluster with site affinity disabled?

dolivasoh
Contributor

I've been wondering if a multisite indexer cluster with searchable primary buckets in each site will serve data from multiple sites concurrently if a search head cluster in site 0 (affinity disabled) runs multiple concurrent searches for the same data. Does anyone know if this is possible?

1 Solution

dshpritz
SplunkTrust
SplunkTrust

Further clarification after oob discussion:

A search head with search affinity enabled limits its searches to the primary copies on its own site, when possible.

In contrast, a search head with search affinity disabled distributes its search across primary copies on both sites. For a given bucket, you cannot know whether it will select the primary on site1 or the primary on site2. It does tend to use the same primaries from one search to the next.

So, the SH with disabled affinity will pull from primaries on both sites, but there's no telling which one it will pick.

View solution in original post

sowings
Splunk Employee
Splunk Employee

| rest /services/cluster/master/buckets (from the Cluster Master) will have fields "primaries_by_site.<site>" listing the GUID of the indexer holding the primary for searches from site0. It may pull from all available sites, including those not within the local site. Furthermore, there are times when the primary for a given site (say site1) don't lie within site1. Also, all indexers are contacted by the SH for a multi-site search, but those indexers that don't have primaries for the requesting site simply report "These are not the buckets you're looking for. Move along."

dshpritz
SplunkTrust
SplunkTrust

Further clarification after oob discussion:

A search head with search affinity enabled limits its searches to the primary copies on its own site, when possible.

In contrast, a search head with search affinity disabled distributes its search across primary copies on both sites. For a given bucket, you cannot know whether it will select the primary on site1 or the primary on site2. It does tend to use the same primaries from one search to the next.

So, the SH with disabled affinity will pull from primaries on both sites, but there's no telling which one it will pick.

dolivasoh
Contributor

Can't believe I didn't see this. So I guess this is possible but no way to know for sure or replicate. I wonder if this is the only case in which a search head chooses a bucket primary.
You should convert this to your answer and I'll hit accept. Thanks!

0 Karma

dshpritz
SplunkTrust
SplunkTrust

Converted 🙂

0 Karma

dshpritz
SplunkTrust
SplunkTrust

Per the docs, if a search head has affinity disabled, it will pull from both sites:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Multisitesearchaffinity#Disable_search_aff...

You can disable search affinity for any search head. When search affinity is disabled, the search head does not attempt to obtain search results from a single site only. Rather, it can obtain results from multiple sites. This can be useful, for example, if you have two data centers in close proximity with low latency, and you want to improve overall performance by spreading the processing across indexers on both sites.

HTH,

Dave

0 Karma

dolivasoh
Contributor

Some different wording and perspective.
A single search cluster in site 0 is searching for identical data in a multisite indexer cluster with 2 sites. If two search heads receive a request at the same time to search for the same data, does only one indexer serve that request or can one from each site serve one search head each, concurrently, and how does the master decide since both buckets are primary for their site?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...