Deployment Architecture

How would I set up a Multisite and Single-Site Environment?

hypePG
Path Finder

Hey everybody,

I am trying to set up a mix of multisite and single-site indexer cluster in an splunk enterprise environment.
I want our Searchhead Cluster to search through the multisite and single-site IDXC.

But after rolling out the SH configuration I get the following error.

The searchhead is unable to update the peer information. Error = 'Master has multisite enabled but it is missing the 'multisite' attribute' for master=xxx

My server.conf for the SH looks like this:

[general]
site=site0

[clustering]
mode = searchhead
master_uri = clustermaster:singlesite1,clustermaster:multisite1

[clustermaster:singlesite1]
multisite=false
master_uri=xxxx
pass4SymmKey=xxxx

[clustermaster:multisite1]
multisite=true
master_uri=xxxx
pass4SymmKey=xxxx
site=site1

After distributing this config the strange thing is, that the Multisite Configuration doesn't appear in the Webinterface on any SH.
If I add the multisite CM manually the error from above is popping up, and I cant search my data.

Second strange behaviour is that, when adding the SearchPeers themselve, without a CM, the data is searchable without any problem. Looks like the config isnt pulled.

Otherwise every conneciton works fine: IDXC-Singlesite -> CM Singlesite, IDXC-Multisite -> CM Multisite, and every instance is connected to a central Monitoring Console.
I read about a similiar problem in a question already asked, but the offered solution didnt help.

Thanks for any help,

Max

Labels (1)
0 Karma
1 Solution

hypePG
Path Finder

Hey,

finally solved it. The problem was a configuration, made via the webinterface on the search heads. Together with the configuration received from our SH Deployer we ran into the problems i described.

We cleaned up the configuration files and everything is working like a charme.

Thanks for our help!

Max

View solution in original post

0 Karma

hypePG
Path Finder

Hey,

finally solved it. The problem was a configuration, made via the webinterface on the search heads. Together with the configuration received from our SH Deployer we ran into the problems i described.

We cleaned up the configuration files and everything is working like a charme.

Thanks for our help!

Max

0 Karma

harsmarvania57
Ultra Champion

Hi,

Have a look at this document https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Configuremulti-clustersearch, if you are searching across multi-site and single then you need to provide multisite and site attribute under clustermaster stanza. So remove site=site0 from [general] stanza.

0 Karma

hypePG
Path Finder

already tried this... not working same error 😞

0 Karma

rohit1793
Explorer

I am replying to very old thread but for members who will face this issue in future:

below the correct way:

[general]
serverName = 
pass4SymmKey = 
site = site(0|1|2)

 

[clustering]
manager_uri = https://xxxx:8089
mode = searchhead
pass4SymmKey = 
multisite = true

 

 

 

 

Rohit Joshi
Splunk Architect
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...