Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why should search affinity be disabled in Multisite Search Head Cluster?

gkas99
Explorer
‎11-04-2021 12:36 PM

We have multisite indexer cluster spanning across 2 DCs, one on west coast and another on east coast.
I am now working on the project to move from a single search head to multisite search head cluster setup.

I have trouble understanding what the benefit of turning off the search affinity in the SHC really is.

My understanding is that search affinity reduces traffic between sites because search heads only get results from indexers on their local site, meaning searches can run faster? (Ref: https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Multisitesearchaffinity)

However, this SHC documents, https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/DeploymultisiteSHC, recommends turning search affinity off so that:

  • Search heads run searches across indexers spanning all sites
  • If, instead, you set different search heads to different sites, the end user might notice lag time in getting some results, depending on which search head happens to run a particular search.

Well, wouldn't turning off search affinity make searches run slower if a search head gets results it needs from an indexer from another site?

It sounds to me like these 2 documentations contradict each other, unless I'm missing something.

Labels (1)
Labels
0 Karma
Reply

sbridge
Explorer
‎11-05-2021 06:25 AM

As usual, the answer is "it depends".   If you are not using a "streched" SH cluster, and all data is replicated and searchable in both sites, then you would want to turn on site affinity.  The two answers are using different assumptions, which they don't explain well, but both can be correct depending on your architecture.

The second answer is assuming you have a single streched SH cluster.

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-04-2021 02:30 PM

Hi

In your case when those DCs are quite long away each other, probably there is not a real advantage to disable this feature. But there are lot of installations when multisite clusters have implemented even a same DC or even same computer room for another reasons. Earlier one reason was that you could do "on line" update if you are using multisite. Currently this can do without it.

r. Ismo 

0 Karma
Reply

gkas99
Explorer
‎11-05-2021 04:39 AM

Right, but what I still don't understand is the following point when having search affinity enabled in SHC:

  • If, instead, you set different search heads to different sites, the end user might notice lag time in getting some results, depending on which search head happens to run a particular search.

In the case of SHC spanning 2 DCs that are far way from each other, with search affinity enabled, search heads get result from their local indexers anyway so there should not be slow responses? Unless, of course, the site becomes invalid and the search heads have to reach out to remote indexers, but that is an outage situation in which slow response is understandable.

In the case of SHC spanning 2 DCs in the close proximity, it doesn't really matter whether you have search affinity on or off because search heads should get very good responses from indexers on any site.

So in what scenario might users notice the lag?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...