Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure multisite clustering without search head affinity?

my2ndhead
SplunkTrust
SplunkTrust
‎11-10-2014 12:05 PM

What is the correct way to disable search-head affinity in a multi-site cluster configuration?

Reply

renems
Communicator
‎02-01-2016 07:44 AM

You're right; there's no such thing as a "search affinity = disabled" switch.
However in splunk 6.3+ there is a supported way to turn it off, though, by indeed setting your search heads to a site that doesn't exist in your indexer cluster.

Modify your (search head) site (in $SPLUNK_HOME/etc/system/default/server.conf) to site=site0 to "disable" search affinity.

You can read all about it here: http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/DeploymultisiteSHC

Reply

jmallorquin
Builder
‎07-12-2016 06:21 AM

Hi,

After configure site=site0 in server.conf all the search head says error invalid site.
Is needed other configuration to disable search affinity?

Thanks,

0 Karma
Reply

renems
Communicator
‎02-01-2016 03:03 PM

Did try this myself, and works like a charm. Away is the latency for synchronization between sites. All you have to do is edit the site=site0 in $SPLUNK_HOME/etc/system/default/server.conf.
Don't forget to restart your search heads.

0 Karma
Reply

dxu_splunk
Splunk Employee
Splunk Employee
‎02-01-2016 03:19 PM

site=site0 disables site affinity in splunk 6.3+ 🙂
can you edit your answer to reflect that, and lets try to get it to the top

0 Karma
Reply

matthieu_araman
Communicator
‎02-11-2015 05:10 AM

Hello,

one solution I was told should work is to create a specific site id for your search heads
this way, every indexers appears in a remote site and all are used, which is in fact like having disabled search affinity.
I should be able to validate it in the future but I'm interested if anybody already did it that way.

Reply

mikaelbje
Motivator
‎06-25-2015 01:52 PM

Where did you get this information from? I have a case where this might be required. It would be great to know whether it's supported.

0 Karma
Reply

matthieu_araman
Communicator
‎06-26-2015 01:11 AM

indirectly but from a thrusworthy source. I don't see why it would not be supported as it's just a multisite splunk deployment with some thinking on top of it.
I will use this config but haven't yet been able to test it yet for mainly planning reasons.

0 Karma
Reply

johnstetter
Explorer
‎03-04-2015 07:53 AM

Any luck in getting this configuration working?

0 Karma
Reply

dxu_splunk
Splunk Employee
Splunk Employee
‎11-10-2014 03:31 PM

Theres currently no way to turn off search affinity

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-10-2014 01:52 PM

Edit: Not quite correct, apparently 😞

Judging by this: http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Multisitesearchaffinity#Implement_search_a...

You must explicitly specify the sites that require search affinity.

I'd say you get no search affinity if you don't explicitly specify any site in your site rep/search factors... for example, if you have three sites and want a copy in every site but no search affinity you'd specify this:

origin:1, total:3

As opposed to the search affinity for everyone version:

origin:1, site1: 1, site2: 1, site3: 1, total: 3
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-10-2014 03:16 PM

Bummer... does that mean there is no way to turn off search affinity?

0 Karma
Reply

dxu_splunk
Splunk Employee
Splunk Employee
‎11-10-2014 02:38 PM

This isn’t quite correct.

Search affinity is automatically set whenever a site has a searchable copy. There are two ways to get a site to have searchable copies of a bucket:

1 explicit: site_search_factor: … site2:1 …
This explicitly sets a searchable copy onto site2, so that a search with site2 will get all events from indexers of site2 (since site2 contains a full set of searchable buckets)

2 implicit: site_search_factor: origin:1 total:3 and 3 sites total
Since we have 3 sites, and total set to ‘3’, we will spread out 3 copies amongst 3 sites, so that each site will have a searchable copy. This means that all sites will have search affinity
Also see http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Sitereplicationfactor#What_is_a_site_repli..., the section that starts with "Because the total value can be greater” ...

Will update the docs with regards to this shortly...

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...