Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are RF and SF not met?

woodlandrelic
Path Finder
‎11-15-2022 08:27 AM

Been having trouble with my indexers but everything is fine now and up. But now my RF and SF are still not been met. 

I try tweaking it but it's not working. I have added a screenshot if anyone can kindly assist. 

Thanks

Labels (1)
Labels
Preview file
5019 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2022 09:01 AM

If the RF and SF are not met then everything is not fine with your indexers.  Until the RF is met a failure of an indexer could result in data loss.

Since it looks like all indexers are up, it should just be a matter of waiting for buckets to be replicated.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

matt8679
Path Finder
‎11-15-2022 12:27 PM

Is the cluster in maintenance mode?

On the manager indexer run:

splunk show maintenance-mode

Check to see if any buckets are stuck in fixup tasks? If so, resolve issue.

indexer clustering > Indexes > Bucket Status

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2022 09:01 AM

If the RF and SF are not met then everything is not fine with your indexers.  Until the RF is met a failure of an indexer could result in data loss.

Since it looks like all indexers are up, it should just be a matter of waiting for buckets to be replicated.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

woodlandrelic
Path Finder
‎11-16-2022 05:06 AM

@richgalloway 

Thank you very much. It was just a matter of time like you said. I logged in this morning and Everything was fine all across. 

Reply
Solved! Jump to solution

woodlandrelic
Path Finder
‎11-15-2022 10:16 AM

@richgalloway 

Is there usually a timline for when these buckets will be replicated or a way to speed it up?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2022 12:43 PM

It depends on how many buckets are being fixed-up, how big they are, and what (if anything) is preventing them from being fixed-up.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

sandeepreddy947
Path Finder
‎10-18-2023 08:32 AM

I have a bucket in fixup tasks in indexer cluster-> bucket status, its been struck.  Both SF & RF. So, both SF and RF are not met in indexer cluster. 

I tried to roll and resync bucket manually, that didn't work. There're no buckets in excess buckets, i've cleared them like more than 3hrs.

Is there any way to meet SF & RF without loosing data or bucket ?

Forgot to mention, i had a /opt/cold drive that has I/O error on an indexer. To get it fix i had stop Splunk and remove an indexer from indexer cluster, All other indexers are up and running since last night.  All 45 indexers in cluster-master are up and running and left it to bucket fixup tasks to fix and it also to rebalance overnight. When i check morning there're only 2 fixup tasks left one is in SF & one in RF.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-18-2023 08:53 AM

This thread is almost a year old with an accepted solution.  For a better chance at helpful responses, please post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...