I'm testing multisite cluster that contains two sites with the following setup:
Does the cluster take care of syncing knowledge objects created via the web interface? How? I tried creating a report while logged on in site2, but site1's search head didn't pick that up. Is that normal? If yes, how am I supposed to keep knowledge objects in sync while different users are creating reports/alerts/...
I've gone through the multisite cluster documentation, couldn't find any reference for knowledge objects and search heads.
Multisite Clustering provides HA/DR at the indexer layer. The knowledge object lives in search head layer, so it is not synced or controlled by the multisite clustering. In order to sync knowledge objects you need to manually sync it using rsync or use SHP (Search Head Pooling).
To answer your other question, the status is not met because you don't have enough peers to meet the legacy replication factors. Use the following configs
sitesearch_factor = origin:1, total:2
replication_factor = 1
search_factor = 1
thank you @mahamed_splunk that was really helpful, that fixed the "not met" state, I was aware of this but thought 2 would be the correct setting not 1. Can you point me to the proper way of doing this with rsync?
I should also mention that the cluster master clustering dashboard is saying that replication and search factor are NOT met, but its also saying that the number of searchable peers and indexes are 2, and 0 not not searchable.
I have this setting for both factors origin:1,site1:1,site2:1,total:2, and all peers and search heads have joined and up.