Splunk Search

How to configure search affinity in a multisite clustering ?

alexandre_ouoto
Explorer

Hello Everyone,

I am having trouble with a multisite configuration(version 6.3), i have two sites :

site 1 : 1 master node, 1 search Head, 2 indexers
site 2 : 1 search head, 2 indexers

The multisite configuration is ok but i have issue with the search affinity. the goal is to be able to access to all cluster data with the search head on site 1 and only in local data on the site 2 search head.

This is my configuration on master node

[general]
pass4SymmKey = passkey
serverName = masternode
site = site1

[clustering]
mode = master
pass4SymmKey = passkey
replication_factor = 2
available_sites = site1,site2
multisite = true
site_replication_factor = origin:2,total:2
site_search_factor = origin:2,total:2

This is my configuration on search head site 1

[general]
pass4SymmKey = passkey
serverName = searchHead1
site = site0

[clustering]
master_uri = clustermaster:masternode:8089
mode = searchhead

[clustermaster:masternode:8089]
master_uri = https://masternode:8089
multisite = true
pass4SymmKey = passkey

This is my configuration on search head site 2

[general]
pass4SymmKey = passkey
serverName = searchHead2
site = site2

[clustering]
master_uri = clustermaster:masternode:8089
mode = searchhead

[clustermaster:masternode:8089]
master_uri = https://masternode:8089
multisite = true
pass4SymmKey =passkey

This is my configuration on indexer 1 and 2 on site 1

[general]
pass4SymmKey = passkey
serverName = indexer
site = site1

[clustering]
master_uri = https://masternode:8089
mode = slave
pass4SymmKey = passkey

This is my configuration on indexer 1 and 2 on site 2

[general]
pass4SymmKey = passkey
serverName = indexer
site = site2

[clustering]
master_uri = https://masternode:8089
mode = slave
pass4SymmKey = passkey

Regarding the doc, i have to set site0 to disable the search affinity and set siteX to enable only local search.
The issue is with this configuration it's exactly the opposite, the search head on site 1 can see only local data and the search head on site 2 can see every data.

Anyone knows what wrong with my configuration? thanks for your help

dxu_splunk
Splunk Employee
Splunk Employee

just a heads up,

site_replication_factor = origin:2,total:2

sets it so that all your data is local to its original site. so a bucket created on site1 will not get replicated to site2. what you want is probably

site_replication_factor = origin:1,total:2

and the same for site_search_factor with the same searchhead configuration (site0 on site1 SH, site2 on site2 SH).

as for your observed problem, do you have a lot of buckets? is this a migrated cluster from non-multisite?

0 Karma

alexandre_ouoto
Explorer

Hi dxu,

Yes it's desire that i want the data remains on their site. But it does not prevent a search head from another site to access it?

Originally site 1 was a simple cluster indexer, i turned it multisite and joined site 2.

0 Karma

dxu_splunk
Splunk Employee
Splunk Employee

a searchhead, regardless of site, will always search all indexers. multisite affinity is simply returning as much data as possible from the local site. with your data staying on the local site, a search from site1 will always get results from site2, and site2 searches will always get results from site1 (since there are buckets that only exist on one site and not another).

have your site2 indexers index any data / created any buckets? a site0 search must be getting site2 events if there are buckets on site2 that only exist on site2...

0 Karma

alexandre_ouoto
Explorer

At the begining, site 2 was empty, so any buckets were tag with site 2, if I follow your reasoning, normally search head on site 2 will not return site 1 result? Data on site 1 indexer were always tagged site 1 and on site 2 indexer always tagged site 2.
If i understand, if I want to have the desired operation, buckets on each site must be only on their site?
My site configuration is good right ?

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...