How to reduce the search factor to 2 from 3?

arunsunny · ‎10-20-2020

Hello Splunkers,

I have one requirement where have 3 sites and planning to keep the search factor to 2 and replication factor to 3.

Current Config: ( SF=3 and RF=3 )

[clustering]
site_replication_factor = origin:1,site1:1,site2:1,site3:1,total:3
site_search_factor = origin:1,site1:1,site2:1,site3:1,total:3

To making into the Search Factor to 2 in any sites will the below settings works?

[clustering]
site_replication_factor = origin:1,site1:1,site2:1,site3:1,total:3
site_search_factor = origin:1,site1:1,site2:1,site3:1,total:2

To reduce to SF=2 what all steps involved?

Cheers,
Arun Sunny

richgalloway · ‎10-20-2020

The proposed site_search_factor setting is invalid. One cannot have a copy on each of three sites and have a total of 2 copies. I suggest

site_search_factor = origin:1,total:2

---
If this reply helps you, Karma would be appreciated.

arunsunny · ‎10-27-2020

One more question:

If we are going to use the below settings:

site_search_factor = origin:1,total:2

Is there a chance of 2 search copy will be there on the same site?

richgalloway · ‎10-27-2020

Splunk will put one copy on the original site and the other copy on the other site.

---
If this reply helps you, Karma would be appreciated.

arunsunny · ‎10-20-2020

Thanks for the answer.

So post-change the config only Cluster master required restart?

richgalloway · ‎10-20-2020

Yes

---
If this reply helps you, Karma would be appreciated.