Managing Indexers and Clusters of Indexers

 


Troubleshoot indexers and clusters of indexers

Implement search affinity in a multisite indexer cluster

Implement search affinity in a multisite indexer cluster

One of the key benefits of multisite indexer clustering is that it allows you to configure a cluster so that search heads perform their searches only on data stored on their local sites. This reduces network traffic while still providing access to the entire set of data, because each site contains a full copy of the data. This benefit is known as "search affinity."

For example, say you have two data centers in California, one in San Francisco and the other in Los Angeles. You set up a two-site cluster, with each site corresponding to a data center. Search affinity allows you to reduce long-distance network traffic. Search heads at the San Francisco data center search only the peers in San Francisco, while search heads in Los Angeles search only their local peers.

How search affinity works

For those sites that you want to support search affinity, you must configure multisite clustering so that the site has a full set of searchable data and a local search head. The search head on any particular site then searches only the data on its local site, as long as that site is valid.

If a local peer holding some of the searchable data goes down and the site temporarily loses its valid state, the search head will, if necessary, access data from peers on remote sites while the local site is undergoing bucket fixing. During this time, the search head will still get as much of the data as possible from the local site.

Once the site regains its valid state, new searches again occur across only the local site.

For more details on how the cluster handles search affinity, see "Multisite indexer cluster architecture".

Implement search affinity

To implement search affinity:

1. Configure the site replication and search factors so that you have at least one searchable copy on each site where you require search affinity. You must explicitly specify the sites that require search affinity. For example, assume you have a three-site cluster with replication and search factors like this:

site_replication_factor = origin:2, site1:3, site2:3, total:8
site_search_factor = origin:1, site1:2, site2:2, total:5

In this example, you have two explicit sites (site1 and site2) and one non-explicit site (site3). This search factor enables site affinity only for site1 and site2.

For information on configuring the replication and search factors, see "Configure the site replication factor" and "Configure the site search factor".

2. Deploy a search head on each site where you require search affinity.

This documentation applies to the following versions of Splunk: 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 , 6.2.0 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!