Unequal number of Buckets in indexer clustering.

motkarnaresh · ‎11-10-2016

We have two indexers in our cluster and RF and SF are met. But the total number of buckets in one of the indexer is reducing day by day. present situation is, one indexer contain 25000 Buckets and other contain 5000 Buckets. Did anyone faced this type of situation? Please help me whether is this normal or need to worry?

ddrillic · ‎11-12-2016

It's interesting to see your view of the Indexer Clustering: Master Node

horsefez · ‎11-11-2016

Hi motkarnaresh,

looks wierd to me. I also administer a indexer cluster and I'm used to seeing diffences in bucket count aswell, but nothing that looks this extreme.

How much data are you indexing on average per day?
As TStrauch said, whats your RF?

What you could do for troubleshooting is following this documentation to list excess buckets.
https://docs.splunk.com/Documentation/Splunk/6.5.0/Indexer/Removeextrabucketcopies

Don't remove them yet, just maybe show us the results of the splunk list excess-buckets command.

motkarnaresh · ‎11-13-2016

Hi Pyro_wood,

There is nothing in excess-buckets list. Our SF=2 and RF=2 and we have only two indexers.
Our Splunk version is 6.3.1

TStrauch · ‎11-11-2016

What is your search and replication faktor?

motkarnaresh · ‎11-13-2016

SF=2 and RF=2 and we have two indexers.

Unequal number of Buckets in indexer clustering.

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!