Deployment Architecture

Is it possible that Search Factor is Not Met and All Data is Searchable?

dolbyjoab
Explorer

The status of my Indexer Clustering-Master Node dashboard, All Data is Searchable and at the same time Search Factor is Not Met **.
- Is that normal to have these 2 in different status? what is the difference between these 2 status?
- What can be a cause of a constantly **fixup taks pending
?
- If I resync the buckets, I will potentially loss data, how to avoid that?
- is there a way to resync (in case I need to) a huge amount of bucket (around 700) healthily and fast?

Thanks

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @dolbyjoab,

- Is that normal to have these 2 in different status? what is the difference between these 2 status?
All Data is Searchable means that you have at least one searchable copy of your data available on your cluster whereas Search Factor is Not Met means that your cluster doesn't have as many copies as it is configured to have by default your search factor is set to 2 which means you should have two searchable copies of every bucket across all your cluster.

- What can be a cause of a constantly fixup tasks pending?
have a look here https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Anomalousbuckets Many things can lead to buckets fixup to be pending. Usually you can see that in the bucket pending tab of the bucket status.

- If I resync the buckets, I will potentially loss data, how to avoid that?
You will not lose any data if you resync the buckets. Why do you think you would lose anything ? The only thing you might have is search interruption which can be avoided using a search safe rebalance.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Rebalancethecluster#Make_data_rebalance_s...

- is there a way to resync (in case I need to) a huge amount of bucket (around 700) healthily and fast?
As described in the same link above https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Anomalousbuckets#Resync you can run the resync from your cluster master.

More details here if you want to run that via CLI:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Rebalancethecluster#Initiate_data_rebalan...

Let me know if that helps.

Cheers,
David

View solution in original post

DavidHourani
Super Champion

Hi @dolbyjoab,

- Is that normal to have these 2 in different status? what is the difference between these 2 status?
All Data is Searchable means that you have at least one searchable copy of your data available on your cluster whereas Search Factor is Not Met means that your cluster doesn't have as many copies as it is configured to have by default your search factor is set to 2 which means you should have two searchable copies of every bucket across all your cluster.

- What can be a cause of a constantly fixup tasks pending?
have a look here https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Anomalousbuckets Many things can lead to buckets fixup to be pending. Usually you can see that in the bucket pending tab of the bucket status.

- If I resync the buckets, I will potentially loss data, how to avoid that?
You will not lose any data if you resync the buckets. Why do you think you would lose anything ? The only thing you might have is search interruption which can be avoided using a search safe rebalance.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Rebalancethecluster#Make_data_rebalance_s...

- is there a way to resync (in case I need to) a huge amount of bucket (around 700) healthily and fast?
As described in the same link above https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Anomalousbuckets#Resync you can run the resync from your cluster master.

More details here if you want to run that via CLI:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Rebalancethecluster#Initiate_data_rebalan...

Let me know if that helps.

Cheers,
David

dolbyjoab
Explorer

Thank you so much for your point.
Actually, I tried to resync some buckets but it is not resolving my issue. I am planning to use the cli command to scan and repair the anomous buckets.

0 Karma

gjanders
SplunkTrust
SplunkTrust

@DavidHourani great answer but can you add a space after "https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Anomalousbuckets" or use a hyperlink? Otherwise the "." becomes part of the link resulting in a 404.
Also consider using /latest/ instead of /8.0.0/

DavidHourani
Super Champion

Thanks for the tips! ❤️ removed the trailing dot

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...