Deployment Architecture

Help with changing tsidxWritingLevel

splunk_noob2022
Engager

Hello Splunkers / @DavidHourani 

We have a single site indexer cluster with 2 Indexers which are having storage issues so we decided to apply below parameters.

We are currently on Splunk version 8.1.7

1. tsidxWritingLevel = 4

2. enableTsidxReduction = true

3. timePeriodInSecBeforeTsidxReduction = 7890000

The issue here is from cluster Master i can see RF/SF is not met and 1 of the IDX is in Automatic-detention mode, so in this scenario what challenges will i face if above parameters are enabled for all the existing indexes.

Splunk docs doesn't tell much about RF/SF with these parameters.

Labels (1)
Tags (1)
0 Karma
1 Solution

DavidHourani
Super Champion

Hi @splunk_noob2022 ,

 

If an indexer has just gone into detention then most likely the "RF/SF not met" issue is linked to the CM trying to rebuild the buckets lost along with that indexer.

The parameters you posted are simply tuning for the indexes configuration and shouldn't have any effect on RF/SF being met.

Could you please check in your internal logs for the indexer that is in delention to see what other issues could be causing this?

Cheers,

David

 

View solution in original post

DavidHourani
Super Champion

Hi @splunk_noob2022 ,

 

If an indexer has just gone into detention then most likely the "RF/SF not met" issue is linked to the CM trying to rebuild the buckets lost along with that indexer.

The parameters you posted are simply tuning for the indexes configuration and shouldn't have any effect on RF/SF being met.

Could you please check in your internal logs for the indexer that is in delention to see what other issues could be causing this?

Cheers,

David

 

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...