- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How would I set up a Multisite and Single-Site Env...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey everybody,
I am trying to set up a mix of multisite and single-site indexer cluster in an splunk enterprise environment.
I want our Searchhead Cluster to search through the multisite and single-site IDXC.
But after rolling out the SH configuration I get the following error.
The searchhead is unable to update the peer information. Error = 'Master has multisite enabled but it is missing the 'multisite' attribute' for master=xxx
My server.conf for the SH looks like this:
[general]
site=site0
[clustering]
mode = searchhead
master_uri = clustermaster:singlesite1,clustermaster:multisite1
[clustermaster:singlesite1]
multisite=false
master_uri=xxxx
pass4SymmKey=xxxx
[clustermaster:multisite1]
multisite=true
master_uri=xxxx
pass4SymmKey=xxxx
site=site1
After distributing this config the strange thing is, that the Multisite Configuration doesn't appear in the Webinterface on any SH.
If I add the multisite CM manually the error from above is popping up, and I cant search my data.
Second strange behaviour is that, when adding the SearchPeers themselve, without a CM, the data is searchable without any problem. Looks like the config isnt pulled.
Otherwise every conneciton works fine: IDXC-Singlesite -> CM Singlesite, IDXC-Multisite -> CM Multisite, and every instance is connected to a central Monitoring Console.
I read about a similiar problem in a question already asked, but the offered solution didnt help.
Thanks for any help,
Max
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
finally solved it. The problem was a configuration, made via the webinterface on the search heads. Together with the configuration received from our SH Deployer we ran into the problems i described.
We cleaned up the configuration files and everything is working like a charme.
Thanks for our help!
Max
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
finally solved it. The problem was a configuration, made via the webinterface on the search heads. Together with the configuration received from our SH Deployer we ran into the problems i described.
We cleaned up the configuration files and everything is working like a charme.
Thanks for our help!
Max
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Have a look at this document https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Configuremulti-clustersearch, if you are searching across multi-site and single then you need to provide multisite and site attribute under clustermaster stanza. So remove site=site0 from [general] stanza.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
already tried this... not working same error 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am replying to very old thread but for members who will face this issue in future:
below the correct way:
[general]
serverName =
pass4SymmKey =
site = site(0|1|2)
[clustering]
manager_uri = https://xxxx:8089
mode = searchhead
pass4SymmKey =
multisite = true
Splunk Architect
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
