Deployment Architecture

Search Affinity Disabled on multisite cluster : Search results are incomplete

amey2407
Splunk Employee
Splunk Employee

Hi,

We have a multisite cluster with 1 indexer on each site with 1 SH on primary site. Currently, when search affinity is enabled and we run a search for index "crowdstrike" , we can see past 30 days data. But when search affinity is disabled on the search head, the same search displays recent data and not the past 30 days.

Question: Is there something missing configuration wise?

Labels (2)
0 Karma

manikumarv
Explorer

Were you able to get this resolved?  We are experiencing the same when search affinity is disabled.

0 Karma

amey2407
Splunk Employee
Splunk Employee
@manikumarv Following were the steps followed by customer to resolve the issue. Hope this helps.
 
Apparently, the key steps are the ones highlighted below.
 

image (2).png

 
At the start of the MW, I've tried to add the search_factor=2 and restarted the CM for it to take effect, then to disable SA and restarted the SH.
Waited 10 mins or so but still the outcome was the same as before.
 
But I tried restarting the CM again, to ensure that all steps were followed to the key.
Almost immediately, the old events appeared.
 
Before
 

image (1).png

 
After
 

image.png

 
Tags (1)

manikumarv
Explorer

@amey2407 Thanks for the details.

We do have the [single-site] SF setting already on the CM as you noted.  But I did not try restarting CM after disabling SA on the SH.  I'll give that a try and let you know.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...