Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search Affinity Disabled on multisite cluster : Search results are incomplete

amey2407
Splunk Employee
Splunk Employee
‎08-24-2021 11:42 PM

Hi,

We have a multisite cluster with 1 indexer on each site with 1 SH on primary site. Currently, when search affinity is enabled and we run a search for index "crowdstrike" , we can see past 30 days data. But when search affinity is disabled on the search head, the same search displays recent data and not the past 30 days.

Question: Is there something missing configuration wise?

Labels (2)
Preview file
38 KB
0 Karma
Reply

manikumarv
Explorer
‎10-12-2021 08:09 AM

Were you able to get this resolved?  We are experiencing the same when search affinity is disabled.

0 Karma
Reply

amey2407
Splunk Employee
Splunk Employee
‎10-12-2021 05:53 PM
@manikumarv Following were the steps followed by customer to resolve the issue. Hope this helps.
 
Apparently, the key steps are the ones highlighted below.
 

image (2).png

 
At the start of the MW, I've tried to add the search_factor=2 and restarted the CM for it to take effect, then to disable SA and restarted the SH.
Waited 10 mins or so but still the outcome was the same as before.
 
But I tried restarting the CM again, to ensure that all steps were followed to the key.
Almost immediately, the old events appeared.
 
Before
 

image (1).png

 
After
 

image.png

 
Tags (1)
Reply

manikumarv
Explorer
‎10-13-2021 12:56 PM

@amey2407 Thanks for the details.

We do have the [single-site] SF setting already on the CM as you noted.  But I did not try restarting CM after disabling SA on the SH.  I'll give that a try and let you know.

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...