Search Affinity Disabled on multisite cluster : Se...

amey2407 · ‎08-24-2021

Hi,

We have a multisite cluster with 1 indexer on each site with 1 SH on primary site. Currently, when search affinity is enabled and we run a search for index "crowdstrike" , we can see past 30 days data. But when search affinity is disabled on the search head, the same search displays recent data and not the past 30 days.

Question: Is there something missing configuration wise?

manikumarv · ‎10-12-2021

Were you able to get this resolved? We are experiencing the same when search affinity is disabled.

amey2407 · ‎10-12-2021

@manikumarv Following were the steps followed by customer to resolve the issue. Hope this helps.

Apparently, the key steps are the ones highlighted below.

image (2).png

At the start of the MW, I've tried to add the search_factor=2 and restarted the CM for it to take effect, then to disable SA and restarted the SH.

Waited 10 mins or so but still the outcome was the same as before.

But I tried restarting the CM again, to ensure that all steps were followed to the key.

Almost immediately, the old events appeared.

Before

image (1).png

After

manikumarv · ‎10-13-2021

@amey2407 Thanks for the details.

We do have the [single-site] SF setting already on the CM as you noted. But I did not try restarting CM after disabling SA on the SH. I'll give that a try and let you know.

Search Affinity Disabled on multisite cluster : Search results are incomplete

indexer clustering

search head

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout