Help with distributed search and multi-site index ...

a212830 · ‎03-21-2016

Hi,

I've setup a dev env with 3 sites. I also have a SHC configured, and need to setup distributed search, so the SH read from the IDX.

Looking at this page - http://docs.splunk.com/Documentation/Splunk/6.3.3/DistSearch/SHCandindexercluster - I see the command, but I'm not quite certain on the "site0" part. My sites are site1, site2, site3. The CM is in site1.

So my question is what value should I pass for a site in the cluster-config command.

esix_splunk · ‎03-21-2016

The site0 configuration has to do with site affinity in the cluster. When you dont want to bind a SH specifically to a site, it should be site0.

splunk edit cluster-config -mode searchhead -site site0

This enables it to search across the clusters it is a member of. Note that if this is part of multiple clusters, you'll need to apply that configuration to each cluster its part of.

Conversely, if you wanted to have a SH member, only search specific sites in a cluster, you could adjust that to match siteN.

a212830 · ‎03-21-2016

And if I'm not using site affinity?

sloshburch · ‎03-22-2016

@esix is referring to setting up with no site affinity (site0). See this section: http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/DeploymultisiteSHC#Integrate_a_search_...

So in your scenario, you'd leave the CM in site1 and set the search heads all to site0

Help with distributed search and multi-site index clustering

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!