Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with distributed search and multi-site index clustering

a212830
Champion
‎03-21-2016 06:57 PM

Hi,

I've setup a dev env with 3 sites. I also have a SHC configured, and need to setup distributed search, so the SH read from the IDX.

Looking at this page - http://docs.splunk.com/Documentation/Splunk/6.3.3/DistSearch/SHCandindexercluster - I see the command, but I'm not quite certain on the "site0" part. My sites are site1, site2, site3. The CM is in site1.

So my question is what value should I pass for a site in the cluster-config command.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎03-21-2016 08:15 PM

The site0 configuration has to do with site affinity in the cluster. When you dont want to bind a SH specifically to a site, it should be site0.

splunk edit cluster-config -mode searchhead -site site0

This enables it to search across the clusters it is a member of. Note that if this is part of multiple clusters, you'll need to apply that configuration to each cluster its part of.

Conversely, if you wanted to have a SH member, only search specific sites in a cluster, you could adjust that to match siteN.

0 Karma
Reply

a212830
Champion
‎03-21-2016 09:03 PM

And if I'm not using site affinity?

0 Karma
Reply

sloshburch
Ultra Champion
‎03-22-2016 12:12 PM

@esix is referring to setting up with no site affinity (site0). See this section: http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/DeploymultisiteSHC#Integrate_a_search_...

So in your scenario, you'd leave the CM in site1 and set the search heads all to site0

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...