Splunk Search

Hybrid Search not working in Splunk Cloud "The searchhead is unable to update the peer information. Error = 'Master has multisite enabled but the search head is missing the 'multisite' attribute' for master"

khourihan_splun
Splunk Employee
Splunk Employee

When I join the Hybrid Search Head to Cloud clustermaster I get this error.

The searchhead is unable to update the peer information. Error = 'Master has multisite enabled but the search head is missing the 'multisite' attribute' for master

What gives?

Tags (1)
0 Karma
1 Solution

khourihan_splun
Splunk Employee
Splunk Employee

This is because Splunk Cloud has multi-site enabled.
To fix that you should run this command on the SH on your laptop from the bin folder:

splunk edit cluster-master https://c0m1.example.splunkcloud.com:8089 -site site0

Splunk Cloud uses sites 1-3, so make sure you pick <1 >3

View solution in original post

0 Karma

woodcock
Esteemed Legend

I finally figured this out. The problem is that there is a bug in the error logic and the text is completely wrong! What it should say is something like

Error = Master has multisite enabled but the search head is missing the 'multisite' or any 'site=' attribute

In my case, it was the site=site1 that was missing. When I added this, it fixed the problem. Running this command will fix this because it will add site=site to server.conf, not because it changes anything with multisite:

splunk edit cluster-config -mode searchhead -site site1 -master_uri https://xx.xxx.xx.xxx:808

However you should not be configuring clusters through the CLI or GUI into /opt/splunk/etc/system, you should be configuring them through the configuration files, which is why I am pointing out the true nature of the problem and the right way to fix it.

0 Karma

khourihan_splun
Splunk Employee
Splunk Employee

This is because Splunk Cloud has multi-site enabled.
To fix that you should run this command on the SH on your laptop from the bin folder:

splunk edit cluster-master https://c0m1.example.splunkcloud.com:8089 -site site0

Splunk Cloud uses sites 1-3, so make sure you pick <1 >3

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...