Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Search affinity for non-multisite cluster

oliverj
Communicator
‎05-24-2017 07:35 AM

I have 2 locations, and not a ton of resources. Multisite clustering took too much -- it seems like I need at least 3 indexers (or maybe it was 2 per site). But, I only have 2 indexers, so I decided a multisite cluster was more then I needed. Instead, I set up a basic index cluster that I was hoping to have span multiple locations. Main goal = data safety. 2 copies of active splunk indexes, plus backups at each location looks to be exactly what I need.
alt text

But, my pipe between sites is pretty limited. Ideally, my search head would be tied to a specific indexer, so I am not trying to pull data across sites. I looked at affinity (but that is multisite only) and distributed search (but that is non-cluster only). Is it possible to restrict my SearchHead1 to only search Indexer1?

Preview file
11 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

oliverj
Communicator
‎05-24-2017 10:54 AM

It seems I was wrong about not being able to use multisite clustering with only 2 peers.
I found this thread, which indicated that I need to override the default replication factor of 2.
By adding in the 

replication_factor = 1
search_factor = 1

In addition to:

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

I was able to successfully start the splunk process.
Now, I should be able to set up a searchhead at each site, with affinity for its own site instead of searching across both indexers across the net.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

oliverj
Communicator
‎05-24-2017 10:54 AM

It seems I was wrong about not being able to use multisite clustering with only 2 peers.
I found this thread, which indicated that I need to override the default replication factor of 2.
By adding in the 

replication_factor = 1
search_factor = 1

In addition to:

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

I was able to successfully start the splunk process.
Now, I should be able to set up a searchhead at each site, with affinity for its own site instead of searching across both indexers across the net.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...