Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible that Search Factor is Not Met and All Data is Searchable?

dolbyjoab
Explorer
‎12-03-2019 05:06 AM

The status of my Indexer Clustering-Master Node dashboard, All Data is Searchable and at the same time Search Factor is Not Met **.
- Is that normal to have these 2 in different status? what is the difference between these 2 status?
- What can be a cause of a constantly **fixup taks pending?
- If I resync the buckets, I will potentially loss data, how to avoid that?
- is there a way to resync (in case I need to) a huge amount of bucket (around 700) healthily and fast?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎12-03-2019 05:41 AM

Hi @dolbyjoab,

- Is that normal to have these 2 in different status? what is the difference between these 2 status?
All Data is Searchable means that you have at least one searchable copy of your data available on your cluster whereas Search Factor is Not Met means that your cluster doesn't have as many copies as it is configured to have by default your search factor is set to 2 which means you should have two searchable copies of every bucket across all your cluster.

- What can be a cause of a constantly fixup tasks pending?
have a look here https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Anomalousbuckets Many things can lead to buckets fixup to be pending. Usually you can see that in the bucket pending tab of the bucket status.

- If I resync the buckets, I will potentially loss data, how to avoid that?
You will not lose any data if you resync the buckets. Why do you think you would lose anything ? The only thing you might have is search interruption which can be avoided using a search safe rebalance.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Rebalancethecluster#Make_data_rebalance_s...

- is there a way to resync (in case I need to) a huge amount of bucket (around 700) healthily and fast?
As described in the same link above https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Anomalousbuckets#Resync you can run the resync from your cluster master.

More details here if you want to run that via CLI:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Rebalancethecluster#Initiate_data_rebalan...

Let me know if that helps.

Cheers,
David

View solution in original post

Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎12-03-2019 05:41 AM

Hi @dolbyjoab,

- Is that normal to have these 2 in different status? what is the difference between these 2 status?
All Data is Searchable means that you have at least one searchable copy of your data available on your cluster whereas Search Factor is Not Met means that your cluster doesn't have as many copies as it is configured to have by default your search factor is set to 2 which means you should have two searchable copies of every bucket across all your cluster.

- What can be a cause of a constantly fixup tasks pending?
have a look here https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Anomalousbuckets Many things can lead to buckets fixup to be pending. Usually you can see that in the bucket pending tab of the bucket status.

- If I resync the buckets, I will potentially loss data, how to avoid that?
You will not lose any data if you resync the buckets. Why do you think you would lose anything ? The only thing you might have is search interruption which can be avoided using a search safe rebalance.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Rebalancethecluster#Make_data_rebalance_s...

- is there a way to resync (in case I need to) a huge amount of bucket (around 700) healthily and fast?
As described in the same link above https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Anomalousbuckets#Resync you can run the resync from your cluster master.

More details here if you want to run that via CLI:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Rebalancethecluster#Initiate_data_rebalan...

Let me know if that helps.

Cheers,
David

Reply
Solved! Jump to solution

dolbyjoab
Explorer
‎12-09-2019 10:01 AM

Thank you so much for your point.
Actually, I tried to resync some buckets but it is not resolving my issue. I am planning to use the cli command to scan and repair the anomous buckets.

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎12-08-2019 01:44 AM

@DavidHourani great answer but can you add a space after "https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Anomalousbuckets" or use a hyperlink? Otherwise the "." becomes part of the link resulting in a 404.
Also consider using /latest/ instead of /8.0.0/

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎12-08-2019 06:47 AM

Thanks for the tips! ❤️ removed the trailing dot

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...