Deployment Architecture

Search Affinity Disabled on multisite cluster : Search results are incomplete

amey2407
Splunk Employee
Splunk Employee

Hi,

We have a multisite cluster with 1 indexer on each site with 1 SH on primary site. Currently, when search affinity is enabled and we run a search for index "crowdstrike" , we can see past 30 days data. But when search affinity is disabled on the search head, the same search displays recent data and not the past 30 days.

Question: Is there something missing configuration wise?

Labels (2)
0 Karma

manikumarv
Explorer

Were you able to get this resolved?  We are experiencing the same when search affinity is disabled.

0 Karma

amey2407
Splunk Employee
Splunk Employee
@manikumarv Following were the steps followed by customer to resolve the issue. Hope this helps.
 
Apparently, the key steps are the ones highlighted below.
 

image (2).png

 
At the start of the MW, I've tried to add the search_factor=2 and restarted the CM for it to take effect, then to disable SA and restarted the SH.
Waited 10 mins or so but still the outcome was the same as before.
 
But I tried restarting the CM again, to ensure that all steps were followed to the key.
Almost immediately, the old events appeared.
 
Before
 

image (1).png

 
After
 

image.png

 
Tags (1)

manikumarv
Explorer

@amey2407 Thanks for the details.

We do have the [single-site] SF setting already on the CM as you noted.  But I did not try restarting CM after disabling SA on the SH.  I'll give that a try and let you know.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...