Solved: Re: Multisite and Single-Site Environment

hypePG · ‎01-24-2019

Hey everybody,

I am trying to set up a mix of multisite and single-site indexer cluster in an splunk enterprise environment.
I want our Searchhead Cluster to search through the multisite and single-site IDXC.

But after rolling out the SH configuration I get the following error.

The searchhead is unable to update the peer information. Error = 'Master has multisite enabled but it is missing the 'multisite' attribute' for master=xxx

My server.conf for the SH looks like this:

[general]
site=site0

[clustering]
mode = searchhead
master_uri = clustermaster:singlesite1,clustermaster:multisite1

[clustermaster:singlesite1]
multisite=false
master_uri=xxxx
pass4SymmKey=xxxx

[clustermaster:multisite1]
multisite=true
master_uri=xxxx
pass4SymmKey=xxxx
site=site1

After distributing this config the strange thing is, that the Multisite Configuration doesn't appear in the Webinterface on any SH.
If I add the multisite CM manually the error from above is popping up, and I cant search my data.

Second strange behaviour is that, when adding the SearchPeers themselve, without a CM, the data is searchable without any problem. Looks like the config isnt pulled.

Otherwise every conneciton works fine: IDXC-Singlesite -> CM Singlesite, IDXC-Multisite -> CM Multisite, and every instance is connected to a central Monitoring Console.
I read about a similiar problem in a question already asked, but the offered solution didnt help.

Thanks for any help,

Max

hypePG · ‎02-06-2019

Hey,

finally solved it. The problem was a configuration, made via the webinterface on the search heads. Together with the configuration received from our SH Deployer we ran into the problems i described.

We cleaned up the configuration files and everything is working like a charme.

Thanks for our help!

Max

View solution in original post

hypePG · ‎02-06-2019

Hey,

finally solved it. The problem was a configuration, made via the webinterface on the search heads. Together with the configuration received from our SH Deployer we ran into the problems i described.

We cleaned up the configuration files and everything is working like a charme.

Thanks for our help!

Max

harsmarvania57 · ‎01-24-2019

Hi,

Have a look at this document https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Configuremulti-clustersearch, if you are searching across multi-site and single then you need to provide multisite and site attribute under clustermaster stanza. So remove site=site0 from [general] stanza.

hypePG · ‎01-24-2019

already tried this... not working same error 😞

rohit1793 · ‎05-30-2023

I am replying to very old thread but for members who will face this issue in future:

below the correct way:

[general]
serverName =
pass4SymmKey =
site = site(0|1|2)

[clustering]
manager_uri = https://xxxx:8089
mode = searchhead
pass4SymmKey =
multisite = true

Rohit Joshi
Splunk Architect

satyenshah · ‎01-10-2025

Based on the docs, I can't tell if there's a functional difference between this:

[clustering]
multisite = true

[clustermanager:prod]
multisite = true

[clustermanager:dev]
multisite = false

and this:

[clustering]

[clustermanager:prod]
multisite = true

[clustermanager:dev]

in server.conf on searchheads.

isoutamo · ‎01-11-2025

1st you should create a new question instead of add your questions into already long time ago closed question.

Both of those are working equivalently in technical point of view. But for human/ readability point of view at least I prefer the way where multisite attribute is set in closest place. Especially when you are looking those conf files it’s easier to see is that cluster multi or single site version. Of course you should use “splunk btool server list” command and check what it show.

How would I set up a Multisite and Single-Site Environment?

search head clustering

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application