Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search affinity for non-multisite cluster

oliverj
Communicator
‎05-24-2017 07:35 AM

I have 2 locations, and not a ton of resources. Multisite clustering took too much -- it seems like I need at least 3 indexers (or maybe it was 2 per site). But, I only have 2 indexers, so I decided a multisite cluster was more then I needed. Instead, I set up a basic index cluster that I was hoping to have span multiple locations. Main goal = data safety. 2 copies of active splunk indexes, plus backups at each location looks to be exactly what I need.
alt text

But, my pipe between sites is pretty limited. Ideally, my search head would be tied to a specific indexer, so I am not trying to pull data across sites. I looked at affinity (but that is multisite only) and distributed search (but that is non-cluster only). Is it possible to restrict my SearchHead1 to only search Indexer1?

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

oliverj
Communicator
‎05-24-2017 10:54 AM

It seems I was wrong about not being able to use multisite clustering with only 2 peers.
I found this thread, which indicated that I need to override the default replication factor of 2.
By adding in the 

replication_factor = 1
search_factor = 1

In addition to:

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

I was able to successfully start the splunk process.
Now, I should be able to set up a searchhead at each site, with affinity for its own site instead of searching across both indexers across the net.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

oliverj
Communicator
‎05-24-2017 10:54 AM

It seems I was wrong about not being able to use multisite clustering with only 2 peers.
I found this thread, which indicated that I need to override the default replication factor of 2.
By adding in the 

replication_factor = 1
search_factor = 1

In addition to:

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

I was able to successfully start the splunk process.
Now, I should be able to set up a searchhead at each site, with affinity for its own site instead of searching across both indexers across the net.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...