Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search affinity for non-multisite cluster

oliverj
Communicator
‎05-24-2017 07:35 AM

I have 2 locations, and not a ton of resources. Multisite clustering took too much -- it seems like I need at least 3 indexers (or maybe it was 2 per site). But, I only have 2 indexers, so I decided a multisite cluster was more then I needed. Instead, I set up a basic index cluster that I was hoping to have span multiple locations. Main goal = data safety. 2 copies of active splunk indexes, plus backups at each location looks to be exactly what I need.
alt text

But, my pipe between sites is pretty limited. Ideally, my search head would be tied to a specific indexer, so I am not trying to pull data across sites. I looked at affinity (but that is multisite only) and distributed search (but that is non-cluster only). Is it possible to restrict my SearchHead1 to only search Indexer1?

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

oliverj
Communicator
‎05-24-2017 10:54 AM

It seems I was wrong about not being able to use multisite clustering with only 2 peers.
I found this thread, which indicated that I need to override the default replication factor of 2.
By adding in the 

replication_factor = 1
search_factor = 1

In addition to:

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

I was able to successfully start the splunk process.
Now, I should be able to set up a searchhead at each site, with affinity for its own site instead of searching across both indexers across the net.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

oliverj
Communicator
‎05-24-2017 10:54 AM

It seems I was wrong about not being able to use multisite clustering with only 2 peers.
I found this thread, which indicated that I need to override the default replication factor of 2.
By adding in the 

replication_factor = 1
search_factor = 1

In addition to:

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

I was able to successfully start the splunk process.
Now, I should be able to set up a searchhead at each site, with affinity for its own site instead of searching across both indexers across the net.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...