1 - If I am checking logs on the other Search Head when the one in the site goes down , I am able to find those logs but , the name of the host from which the logs have come is shown as localhost.

varun4splunk · ‎08-26-2014

Hello

I am testing Splunk Enterprise Multi-Site Cluster in my lab. The details of which are mentioned below :

Site1 - Master , Index Peers 1 and 2 , Search Head , and 1 Universal Forwarder.
Site2 - Index Peers 1 and 2, Search Head, and 2 Universal Forwarders.

[clustering]
mode = master
multisite = true
available_sites=site1,site2
site_replication_factor = origin:2,site1:1,site2:1,total:4
site_search_factor = origin:2,site1:1,site2:1,total:3

I am facing 2 issues :

1 - If I am checking logs on the other Search Head when the one in the site goes down , I am able to find those logs but , the name of the host from which the logs have come is shown as localhost.

(I have proper DNS setup for both the sites.)

2 - My Master says that the replication factor has not been met.

Please let me know if i have goofed up configuration or my assumptions are not right for a 2 site Multi-Cluster configuration. Aslo please let me know if any additional information is needed.

CentOS 6.3
Splunk - 6.1.3 and splunkforwarder 6.1.3

neelamssantosh · ‎09-17-2014

Kindly confirm/recheck in server.conf servername field. serverName = $HOSTNAME

2 . Make sure all the instances have / must have unique guId value in in instance.cfg
/opt/splunk/etc/instance.cfg
[general]
guid = B58A86D9-DF3D-4BF8-A426-DB85C231B699

varun4splunk · ‎09-17-2014

http://answers.splunk.com/answers/144603/multi-site-cluster-configuration-help-with-2-cluster-peers.... is the answer to my 1st question.

Will try the solution for Ques #2 and update.

Thanks

dxu_splunk · ‎09-03-2014

For #2: try setting replication_factor=2. You may have old buckets that were created before multisite - and those follow a different set of rules than that of multisite buckets.
http://docs.splunk.com/Documentation/Splunk/6.1.3/Indexer/Migratetomultisite#How_the_cluster_migrate...
http://answers.splunk.com/answers/134798/splunk-61-multi-site-cluster-not-replicating-or-working-as-...

Why replication factor is not met and search head only shows localhost in Splunk Enterprise 6.1.3 multi-site cluster?

1 - If I am checking logs on the other Search Head when the one in the site goes down , I am able to find those logs but , the name of the host from which the logs have come is shown as localhost.

2 - My Master says that the replication factor has not been met.

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>

Why replication factor is not met and search head only shows localhost in Splunk Enterprise 6.1.3 multi-site cluster?

1 - If I am checking logs on the other Search Head when the one in the site goes down , I am able to find those logs but , the name of the host from which the logs have come is shown as localhost.

2 - My Master says that the replication factor has not been met.

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>