Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search affinity for non-multisite cluster

oliverj
Communicator
‎05-24-2017 07:35 AM

I have 2 locations, and not a ton of resources. Multisite clustering took too much -- it seems like I need at least 3 indexers (or maybe it was 2 per site). But, I only have 2 indexers, so I decided a multisite cluster was more then I needed. Instead, I set up a basic index cluster that I was hoping to have span multiple locations. Main goal = data safety. 2 copies of active splunk indexes, plus backups at each location looks to be exactly what I need.
alt text

But, my pipe between sites is pretty limited. Ideally, my search head would be tied to a specific indexer, so I am not trying to pull data across sites. I looked at affinity (but that is multisite only) and distributed search (but that is non-cluster only). Is it possible to restrict my SearchHead1 to only search Indexer1?

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

oliverj
Communicator
‎05-24-2017 10:54 AM

It seems I was wrong about not being able to use multisite clustering with only 2 peers.
I found this thread, which indicated that I need to override the default replication factor of 2.
By adding in the 

replication_factor = 1
search_factor = 1

In addition to:

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

I was able to successfully start the splunk process.
Now, I should be able to set up a searchhead at each site, with affinity for its own site instead of searching across both indexers across the net.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

oliverj
Communicator
‎05-24-2017 10:54 AM

It seems I was wrong about not being able to use multisite clustering with only 2 peers.
I found this thread, which indicated that I need to override the default replication factor of 2.
By adding in the 

replication_factor = 1
search_factor = 1

In addition to:

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

I was able to successfully start the splunk process.
Now, I should be able to set up a searchhead at each site, with affinity for its own site instead of searching across both indexers across the net.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...