Why are my sites unbalanced?

w199284 · ‎01-31-2019

I have two sites in a multi-site cluster. 7 peers in each site. I have been running this configuration for two years. Over the last couple months I've begun to notice that one site has been adding more buckets that the other. In approximate numbers, site1 has 203,000 buckets. Site2 has 175,000 buckets. I've run rolling-restart a couple times and data rebalance too. I've searched for troubleshooting tips for situations like these but I have not turned up much useful information. My forwarders (heavy and universal) are configured to auto balance across all peers. I'm on version 7.04 and have been there since shortly after its release. What is going on? Thank you for your consideration.

vishaltaneja070 · ‎01-31-2019

Hello @w199284

I think the issue here is Splunk try to achieve 90% rebalancing not fully 100%. If you want 100% rebalancing on both the sides, then you can achieve that as well using the below command:

splunk edit cluster-config -mode master -rebalance_threshold 1 -auth admin:your_password

The below link can help you better:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Rebalancethecluster

ssadanala1 · ‎01-31-2019

How many excess buckets you have ?

w199284 · ‎01-31-2019

No excess buckets.

w199284 · ‎01-31-2019

No excess buckets

adonio · ‎01-31-2019

please share your replication configurations in server.conf:
site_replication_factor = <comma-separated string>

w199284 · ‎01-31-2019

site_replication_factor = origin:1,total:2

I should mention that it has been configured this way since I went to multi-site.

Why are my sites unbalanced?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM