I am trying to set up a mix of multisite and single-site indexer cluster in an splunk enterprise environment.
I want our Searchhead Cluster to search through the multisite and single-site IDXC.
But after rolling out the SH configuration I get the following error.
The searchhead is unable to update the peer information. Error = 'Master has multisite enabled but it is missing the 'multisite' attribute' for master=xxx
My server.conf for the SH looks like this:
[general] site=site0 [clustering] mode = searchhead master_uri = clustermaster:singlesite1,clustermaster:multisite1 [clustermaster:singlesite1] multisite=false master_uri=xxxx pass4SymmKey=xxxx [clustermaster:multisite1] multisite=true master_uri=xxxx pass4SymmKey=xxxx site=site1
After distributing this config the strange thing is, that the Multisite Configuration doesn't appear in the Webinterface on any SH.
If I add the multisite CM manually the error from above is popping up, and I cant search my data.
Second strange behaviour is that, when adding the SearchPeers themselve, without a CM, the data is searchable without any problem. Looks like the config isnt pulled.
Otherwise every conneciton works fine: IDXC-Singlesite -> CM Singlesite, IDXC-Multisite -> CM Multisite, and every instance is connected to a central Monitoring Console.
I read about a similiar problem in a question already asked, but the offered solution didnt help.
Thanks for any help,
Have a look at this document https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Configuremulti-clustersearch, if you are searching across multi-site and single then you need to provide
site attribute under
clustermaster stanza. So remove
finally solved it. The problem was a configuration, made via the webinterface on the search heads. Together with the configuration received from our SH Deployer we ran into the problems i described.
We cleaned up the configuration files and everything is working like a charme.
Thanks for our help!