Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why replication factor is not met and search head only shows localhost in Splunk Enterprise 6.1.3 multi-site cluster?

varun4splunk
Engager
‎08-26-2014 02:49 AM

Hello

I am testing Splunk Enterprise Multi-Site Cluster in my lab. The details of which are mentioned below :

Site1 - Master , Index Peers 1 and 2 , Search Head , and 1 Universal Forwarder.
Site2 - Index Peers 1 and 2, Search Head, and 2 Universal Forwarders.


[clustering]
mode = master
multisite = true
available_sites=site1,site2
site_replication_factor = origin:2,site1:1,site2:1,total:4
site_search_factor = origin:2,site1:1,site2:1,total:3

I am facing 2 issues :

1 - If I am checking logs on the other Search Head when the one in the site goes down , I am able to find those logs but , the name of the host from which the logs have come is shown as localhost.

(I have proper DNS setup for both the sites.)

2 - My Master says that the replication factor has not been met.

Please let me know if i have goofed up configuration or my assumptions are not right for a 2 site Multi-Cluster configuration. Aslo please let me know if any additional information is needed.

CentOS 6.3
Splunk - 6.1.3 and splunkforwarder 6.1.3

0 Karma
Reply

neelamssantosh
Contributor
‎09-17-2014 01:50 AM
  1. Kindly confirm/recheck in server.conf servername field. serverName = $HOSTNAME

2 . Make sure all the instances have / must have unique guId value in in instance.cfg
/opt/splunk/etc/instance.cfg
[general]
guid = B58A86D9-DF3D-4BF8-A426-DB85C231B699

0 Karma
Reply

varun4splunk
Engager
‎09-17-2014 01:50 AM

http://answers.splunk.com/answers/144603/multi-site-cluster-configuration-help-with-2-cluster-peers.... is the answer to my 1st question.

Will try the solution for Ques #2 and update.

Thanks

Reply

dxu_splunk
Splunk Employee
Splunk Employee
‎09-03-2014 05:07 PM

For #2: try setting replication_factor=2. You may have old buckets that were created before multisite - and those follow a different set of rules than that of multisite buckets.
http://docs.splunk.com/Documentation/Splunk/6.1.3/Indexer/Migratetomultisite#How_the_cluster_migrate...
http://answers.splunk.com/answers/134798/splunk-61-multi-site-cluster-not-replicating-or-working-as-...

0 Karma
Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!