Deployment Architecture

Why are RF and SF not met?

woodlandrelic
Path Finder

Been having trouble with my indexers but everything is fine now and up. But now my RF and SF are still not been met. 

I try tweaking it but it's not working. I have added a screenshot if anyone can kindly assist. 

Thanks

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If the RF and SF are not met then everything is not fine with your indexers.  Until the RF is met a failure of an indexer could result in data loss.

Since it looks like all indexers are up, it should just be a matter of waiting for buckets to be replicated.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

matt8679
Path Finder

Is the cluster in maintenance mode?

On the manager indexer run:

splunk show maintenance-mode

Check to see if any buckets are stuck in fixup tasks? If so, resolve issue.

indexer clustering > Indexes > Bucket Status

richgalloway
SplunkTrust
SplunkTrust

If the RF and SF are not met then everything is not fine with your indexers.  Until the RF is met a failure of an indexer could result in data loss.

Since it looks like all indexers are up, it should just be a matter of waiting for buckets to be replicated.

---
If this reply helps you, Karma would be appreciated.

woodlandrelic
Path Finder

@richgalloway 

Thank you very much. It was just a matter of time like you said. I logged in this morning and Everything was fine all across. 

woodlandrelic
Path Finder

@richgalloway 

Is there usually a timline for when these buckets will be replicated or a way to speed it up?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It depends on how many buckets are being fixed-up, how big they are, and what (if anything) is preventing them from being fixed-up.

---
If this reply helps you, Karma would be appreciated.

sandeepreddy947
Path Finder

I have a bucket in fixup tasks in indexer cluster-> bucket status, its been struck.  Both SF & RF. So, both SF and RF are not met in indexer cluster. 

I tried to roll and resync bucket manually, that didn't work. There're no buckets in excess buckets, i've cleared them like more than 3hrs.

Is there any way to meet SF & RF without loosing data or bucket ?

Forgot to mention, i had a /opt/cold drive that has I/O error on an indexer. To get it fix i had stop Splunk and remove an indexer from indexer cluster, All other indexers are up and running since last night.  All 45 indexers in cluster-master are up and running and left it to bucket fixup tasks to fix and it also to rebalance overnight. When i check morning there're only 2 fixup tasks left one is in SF & one in RF.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This thread is almost a year old with an accepted solution.  For a better chance at helpful responses, please post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...