Splunk Enterprise

Do I need a different SH site id for a 2nd SH cluster, both talking to the same IDX cluster?

rjk123
Explorer

I am creating a 2nd SH cluster (with its own Deployer), and both SH clusters (old and new) will be accessing a single (multi-site) IDX cluster.

The existing SH cluster is using Site 0, and the indexers are using site 1 and 2. Do I need to configure the new SH cluster with a unique site id, eg. Site 4, or does not not matter?

There seems to be about zero docs for multiple SH clustering.

Thanks.

 

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

site0 for SH disables site affinity which means that SH will call all your sites for results.

But even if you had site affinity, there's no general rule against multiple search heads or search head clusters in the same site.

You should not configure your SHC with a unique site id though because then it would want to search only from indexers in that site and since you have only indexers in sites 1 and 2...

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

site0 for SH disables site affinity which means that SH will call all your sites for results.

But even if you had site affinity, there's no general rule against multiple search heads or search head clusters in the same site.

You should not configure your SHC with a unique site id though because then it would want to search only from indexers in that site and since you have only indexers in sites 1 and 2...

rjk123
Explorer

Thanks for this, now I get it -  the SHC site has nothing to do with SH's, but is a reference to the IDX cluster sites.

I found this page, Deploy a search head cluster in a multisite environment - Splunk Documentation, with the following text: 

"It is recommended that you set each search head's site attribute to "site0", to disable search affinity. When search affinity is disabled, the search head runs its searches across indexers spanning all sites."

Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Yes. It references which site your SHC should search against. And while typically you use the special site0 which means "no site affinity, just search across all nodes in the cluster", there are some scenarios when you could want a SHC tied to a particular cluster.

Let's say you have a multisite cluster with three sites - one per your company's division - and you have RF at 2 per site and SF at 1 per site. You might want to restrict every division to search only local data because you don't want to overuse the WAN links. So you give each division its own SH or SHC and configure it to search only their local site.

On the other hand if your sites are primarily for data safety purposes and you have a single SHC - you wouldn't set site affinity so that your SHC can search across all nodes.

0 Karma

meetmshah
Builder

Hello @rjk123, Per https://docs.splunk.com/Documentation/Splunk/8.2.0/DistSearch/DeploymultisiteSHC#Search_head_cluster... - 

  • Search head clusters do not have site awareness
  • Site awareness is less critical for a search head cluster than an indexer cluster. If a search head cluster member is missing a replicated copy of a search artifact, the cluster proxies it from another member, which could reside on the same site or on another site

I believe it's Okay to have both the clusters in a same site.

 

Please accept the solution and hit Karma, if this helps!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...