Deployment Architecture

We have two indexers in our cluster with SF=2 and RF=2. From the past week I am observing that there is huge difference(almost 8K) in buckets between the indexers. is this normal or we need to take any action?

motkarnaresh
Explorer

And also I observed that we are getting following error frequently.

Problem replicating config (bundle) to search peer ':8089',Reading reply to upload: rv=-2, Receive from=https://:8089 timed out; exceeded 60sec, as per=distsearch.conf/[replicationSettings]/sendRcvTimeout

If there anyone who had the same problem and solved, please provide the solution for. Thanks

0 Karma

TStrauch
Communicator

Hi Motkarnaresh,

i think the rrror you postet is not causing the bucket replication issue you describe in your headline.

The error you postet is a knowledge bundle replication error between your searchhead and the indexer. It just means that the knowledge bundle which is replicated from your search head to the indexers did not finish the replication within 60 seconds. This can happen when the replicated bundle is simply to big to finish replication within the default 60 seconds.

Take a look at distsearch.conf for some configuration possibilities for example you can set sendRcvTimeout Parameter a little higher, but i would prefer to check how big your bundles are.

Path --> $SPLUNk_HOME_SEARCH_HEAD/var/run

in addition you can check this to edit your knowledge bundles. Often big lookups cause this problem.

http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Configuredistributedsearch#Limit_the_knowledg...

If nothing of this can help you should check your network performance.

Are there any other warnings or errors on your search peers that can explain your difference in bucket replication?

kind regards

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...