Splunk Search

Hybrid Search not working in Splunk Cloud "The searchhead is unable to update the peer information. Error = 'Master has multisite enabled but the search head is missing the 'multisite' attribute' for master"

khourihan_splun
Splunk Employee
Splunk Employee

When I join the Hybrid Search Head to Cloud clustermaster I get this error.

The searchhead is unable to update the peer information. Error = 'Master has multisite enabled but the search head is missing the 'multisite' attribute' for master

What gives?

Tags (1)
0 Karma
1 Solution

khourihan_splun
Splunk Employee
Splunk Employee

This is because Splunk Cloud has multi-site enabled.
To fix that you should run this command on the SH on your laptop from the bin folder:

splunk edit cluster-master https://c0m1.example.splunkcloud.com:8089 -site site0

Splunk Cloud uses sites 1-3, so make sure you pick <1 >3

View solution in original post

0 Karma

woodcock
Esteemed Legend

I finally figured this out. The problem is that there is a bug in the error logic and the text is completely wrong! What it should say is something like

Error = Master has multisite enabled but the search head is missing the 'multisite' or any 'site=' attribute

In my case, it was the site=site1 that was missing. When I added this, it fixed the problem. Running this command will fix this because it will add site=site to server.conf, not because it changes anything with multisite:

splunk edit cluster-config -mode searchhead -site site1 -master_uri https://xx.xxx.xx.xxx:808

However you should not be configuring clusters through the CLI or GUI into /opt/splunk/etc/system, you should be configuring them through the configuration files, which is why I am pointing out the true nature of the problem and the right way to fix it.

0 Karma

khourihan_splun
Splunk Employee
Splunk Employee

This is because Splunk Cloud has multi-site enabled.
To fix that you should run this command on the SH on your laptop from the bin folder:

splunk edit cluster-master https://c0m1.example.splunkcloud.com:8089 -site site0

Splunk Cloud uses sites 1-3, so make sure you pick <1 >3

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...