Deployment Architecture

How would I set up a Multisite and Single-Site Environment?

hypePG
Path Finder

Hey everybody,

I am trying to set up a mix of multisite and single-site indexer cluster in an splunk enterprise environment.
I want our Searchhead Cluster to search through the multisite and single-site IDXC.

But after rolling out the SH configuration I get the following error.

The searchhead is unable to update the peer information. Error = 'Master has multisite enabled but it is missing the 'multisite' attribute' for master=xxx

My server.conf for the SH looks like this:

[general]
site=site0

[clustering]
mode = searchhead
master_uri = clustermaster:singlesite1,clustermaster:multisite1

[clustermaster:singlesite1]
multisite=false
master_uri=xxxx
pass4SymmKey=xxxx

[clustermaster:multisite1]
multisite=true
master_uri=xxxx
pass4SymmKey=xxxx
site=site1

After distributing this config the strange thing is, that the Multisite Configuration doesn't appear in the Webinterface on any SH.
If I add the multisite CM manually the error from above is popping up, and I cant search my data.

Second strange behaviour is that, when adding the SearchPeers themselve, without a CM, the data is searchable without any problem. Looks like the config isnt pulled.

Otherwise every conneciton works fine: IDXC-Singlesite -> CM Singlesite, IDXC-Multisite -> CM Multisite, and every instance is connected to a central Monitoring Console.
I read about a similiar problem in a question already asked, but the offered solution didnt help.

Thanks for any help,

Max

Labels (1)
0 Karma
1 Solution

hypePG
Path Finder

Hey,

finally solved it. The problem was a configuration, made via the webinterface on the search heads. Together with the configuration received from our SH Deployer we ran into the problems i described.

We cleaned up the configuration files and everything is working like a charme.

Thanks for our help!

Max

View solution in original post

0 Karma

hypePG
Path Finder

Hey,

finally solved it. The problem was a configuration, made via the webinterface on the search heads. Together with the configuration received from our SH Deployer we ran into the problems i described.

We cleaned up the configuration files and everything is working like a charme.

Thanks for our help!

Max

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Have a look at this document https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Configuremulti-clustersearch, if you are searching across multi-site and single then you need to provide multisite and site attribute under clustermaster stanza. So remove site=site0 from [general] stanza.

0 Karma

hypePG
Path Finder

already tried this... not working same error 😞

0 Karma

rohit1793
SplunkTrust
SplunkTrust

I am replying to very old thread but for members who will face this issue in future:

below the correct way:

[general]
serverName = 
pass4SymmKey = 
site = site(0|1|2)

 

[clustering]
manager_uri = https://xxxx:8089
mode = searchhead
pass4SymmKey = 
multisite = true

 

 

 

 

Rohit Joshi
Splunk Architect
0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...