Hi,
We have a splunk architecture of 2 search head,2 indexers,1 management server.These are all installed on RHEL7. After patching the OS, We are seeing an error on the management node.
Health status of splunkd - red
Data durability - Searchfactor is not met.
Multiple messages like above.
Data searchable -
There is message on our search heads as well.
The number of search artifacts in the dispatch directory is higher than recommended (count=7391, warning threshold=5000) and could have an impact on search performance.
Splunk Version:8.1.3
We have been having the splunkhot buckets reach to 90% utilization and trying to figure out the solution. But after patching,things seem to go bit worse. Please help me guys :/.
I am experiencing the same thing you describe here. It's been over a year since this post. Do you still remember the solution?
Thanks!
Dave
For us the problem ended up being a fat finger issue when setting up networks.
The subnet mask on one of the indexers was incorrect.
Hi
how you did update? And which Splunk version you have?
There is a bug on 8.1.3+ which can cause this kind of behavior.
Can you reboot CM and see if those ask vanished (temporary) from fi list?
r. Ismo
Good day,
The cluster master looks healthy but I have the data durability error where the root cause is search factor not met.
My splunk version is 8.2.9