Am planning a multi-site (2 datacenters sites) installation of Splunk Enterprise v6.1.4.
There will be 1 Search head per-DC, 2 Indexer node per-DC, 1 universal forwader per-DC (configured with a RF=4)
Both SHs will be configured for distributed-search across the indexers at each site.
Will there be any issue in putting Search factor as 1?
Will there be any issues having one side of the deployment in another DC with a higher-RTT than the local indexer?
I understand that RF should be minimum the value of number of peer node so we will have RF as 4. But I am not sure for minimum value of search factor.
First, the search factor can be 1 if you like. This means that only one copy of each bucket will be searchable. If you lose an indexer, you won't lose data (that depends on the replication factor) - but the users will not be able to run searches until the recovery is complete and one copy of each bucket is searchable.
Second, you do not need to set a replication factor of 4 because you have 4 indexers! You misunderstand. That is not a requirement and it is probably not a good idea either. In a multi-site indexer cluster, you can have any replication factor you like, but it makes sense to have at least 2 copies, since you have two sites. (I think you may be mis-remembering this rule: you cannot have more copies than indexers: if you have only 4 indexers, your replication factor and search factor cannot be more than 4.)
Finally, although we tend to use the general terms, in a multi-site cluster you will actually need to set the site replication factor and the site search factor. These factors allow you to specify how many copies of the data and index files will be stored at each site, as well as the number of copies overall.