Deployment Architecture

How to edit my configuration for a multisite indexer cluster so that search factor and replication factor are met?

sidekix24
Path Finder

We just migrated over to a multisite indexer cluster and we're seeing "Search Factor" (SF) and "Replication Factor" (RF) are not met. Below is the server.conf setting we have on the master node:

[clustering]
cluster_label = *****
mode = master
#pass4SymmKey = *****
pass4SymmKey = *****
replication_factor = 4
available_sites = site1,site2
multisite = true
site_replication_factor = origin:2,total:4
site_search_factor = origin:2,total:4 

The setup is 2 indexers per site and there are 2 sites. As you can see HA is a big deal here so they wanted to max out the RF and SF.

We're also seeing a bunch of fixups with the message below:

Missing enough suitable candidates to create replicated copy in order to meet replication policy. Missing={ site1:2 }

I've seen some posts that say changing the replication factor to 2 fixed this issue in the past. If we do that, would leaving the site RF at "site_replication_factor = origin:2,total:4" still give us 4 copies across the 4 indexers?

Thanks

0 Karma
1 Solution

somesoni2
Revered Legend

This is a common issue that may arise when migrating from single site to multisite indexer cluster. In your each site, there are only 2 nodes and replication factor (which you set for your single site cluster) is 4. Even though the single site indexer cluster specific attribute 'replication_factor' gets overridden, it has to be set to a values that is feasible considering that site as single site cluster. So, you would need to set it to match (or lower) the number of nodes in the site, i.e. 2, and the message should go away. See this link for more details.

http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Bucketreplicationissues#Multisite_cluster_...

View solution in original post

sidekix24
Path Finder

Hi,

Somesoni2 was able to provide the answer below. The second question that we have is

would leaving the site RF at "site_replication_factor = origin:2,total:4" still give us 4 copies across the 4 indexers?

Can anyone confirm this?

Thanks

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Out of curiosity.. If you claim that HA is a big deal then why not add an additional indexer per site and cluster them?

After re-reading this, I'm assuming you have a multi-site index cluster?

0 Karma

sidekix24
Path Finder

yes...it's a multi-site cluster with 2 indexers as each site

0 Karma

somesoni2
Revered Legend

This is a common issue that may arise when migrating from single site to multisite indexer cluster. In your each site, there are only 2 nodes and replication factor (which you set for your single site cluster) is 4. Even though the single site indexer cluster specific attribute 'replication_factor' gets overridden, it has to be set to a values that is feasible considering that site as single site cluster. So, you would need to set it to match (or lower) the number of nodes in the site, i.e. 2, and the message should go away. See this link for more details.

http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Bucketreplicationissues#Multisite_cluster_...

sidekix24
Path Finder

Thanks somesoni2,

Can we leave this setting the same and still get a copy on each indexer in the multisite cluster?

"site_replication_factor = origin:2,total:4"

Thanks again

0 Karma

somesoni2
Revered Legend

Yes, since you've multi-site clustering setting in place, the site_replication_factor will take effect and each site will get 2 copies of data and with two indexers on each site, each indexer should have a copy.

0 Karma

sidekix24
Path Finder

Awesome...thanks

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...