Deployment Architecture

Are multisite primary buckets concurrently searchable by a search head cluster with site affinity disabled?

dolivasoh
Contributor

I've been wondering if a multisite indexer cluster with searchable primary buckets in each site will serve data from multiple sites concurrently if a search head cluster in site 0 (affinity disabled) runs multiple concurrent searches for the same data. Does anyone know if this is possible?

1 Solution

dshpritz
SplunkTrust
SplunkTrust

Further clarification after oob discussion:

A search head with search affinity enabled limits its searches to the primary copies on its own site, when possible.

In contrast, a search head with search affinity disabled distributes its search across primary copies on both sites. For a given bucket, you cannot know whether it will select the primary on site1 or the primary on site2. It does tend to use the same primaries from one search to the next.

So, the SH with disabled affinity will pull from primaries on both sites, but there's no telling which one it will pick.

View solution in original post

sowings
Splunk Employee
Splunk Employee

| rest /services/cluster/master/buckets (from the Cluster Master) will have fields "primaries_by_site.<site>" listing the GUID of the indexer holding the primary for searches from site0. It may pull from all available sites, including those not within the local site. Furthermore, there are times when the primary for a given site (say site1) don't lie within site1. Also, all indexers are contacted by the SH for a multi-site search, but those indexers that don't have primaries for the requesting site simply report "These are not the buckets you're looking for. Move along."

dshpritz
SplunkTrust
SplunkTrust

Further clarification after oob discussion:

A search head with search affinity enabled limits its searches to the primary copies on its own site, when possible.

In contrast, a search head with search affinity disabled distributes its search across primary copies on both sites. For a given bucket, you cannot know whether it will select the primary on site1 or the primary on site2. It does tend to use the same primaries from one search to the next.

So, the SH with disabled affinity will pull from primaries on both sites, but there's no telling which one it will pick.

dolivasoh
Contributor

Can't believe I didn't see this. So I guess this is possible but no way to know for sure or replicate. I wonder if this is the only case in which a search head chooses a bucket primary.
You should convert this to your answer and I'll hit accept. Thanks!

0 Karma

dshpritz
SplunkTrust
SplunkTrust

Converted 🙂

0 Karma

dshpritz
SplunkTrust
SplunkTrust

Per the docs, if a search head has affinity disabled, it will pull from both sites:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Multisitesearchaffinity#Disable_search_aff...

You can disable search affinity for any search head. When search affinity is disabled, the search head does not attempt to obtain search results from a single site only. Rather, it can obtain results from multiple sites. This can be useful, for example, if you have two data centers in close proximity with low latency, and you want to improve overall performance by spreading the processing across indexers on both sites.

HTH,

Dave

0 Karma

dolivasoh
Contributor

Some different wording and perspective.
A single search cluster in site 0 is searching for identical data in a multisite indexer cluster with 2 sites. If two search heads receive a request at the same time to search for the same data, does only one indexer serve that request or can one from each site serve one search head each, concurrently, and how does the master decide since both buckets are primary for their site?

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...