Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: query to check fixup , SF, RF and data is sear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
query to check fixup , SF, RF and data is searchable in splunk
Is there is any query to check like if there is any fixup pending and also it shows SF , RF and data is searchable in the cluster master .
We can check in cluster master U.I but without going there is there anywhere this log are store so that we can fetch.
I need to created a query which shows the status of SF, RF and searchable in Cluster Master also if there are any fixup pending.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
| rest/services/data/indexes
| table title searchFactor replicationFactor
and to check if data is searchable :
|metadata type=source
|search source IN(your_datasource)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Praz_123
You could try a rest call:
| rest /services/cluster/manager/healthThis returns a number of interesting fields around SF/RF.
eturned values
Name Datatype Description
| all_data_is_searchable | Boolean | Indicates if all data in the cluster is searchable. |
| all_peers_are_up | Boolean | Indicate if all peers are strictly in the Up status. |
| cm_version_is_compatible | Boolean | Indicates if any cluster peers are running a Splunk Enterprise version greater than or equal to the cluster manager's version. |
| multisite | Boolean | Indicates if multisite is enabled. |
| no_fixups_in_progress | Boolean | Indicates if there does not exist buckets with bucket state NonStreamingTarget, or bucket search states PendingSearchable or SearchablePendingMask. |
| pre_flight_check | Boolean | Indicates if the health check prior to a rolling upgrade was successful. This value is true only if the cluster passed all health checks. |
| replication_factor_met | Boolean | Only valid for mode=manager and multisite=false. Indicates whether the replication factor is met. If true, the cluster has at least replication_factor number of raw data copies in the cluster. |
| search_factor_met | Boolean | Only valid for mode=manager and multisite=false. Indicates whether the search factor is met. If true, the cluster has at least search_factor number of raw data copies in the cluster. |
| site_replication_factor_met | Boolean | Only valid for mode=manager and multisite=true. Indicates whether the site replication factor is met. If true, the cluster has at least replication_factor number of raw data copies in the cluster. |
| site_search_factor_met | Boolean | Only valid for mode=manager and multisite=true. Indicates whether the site search factor is met. If true, the cluster has at least site_search_factor number of raw data copies in the cluster. |
| splunk_version_peer_count | String | Lists the number of cluster peers running each Splunk Enterprise version. |
Check out the docs at https://docs.splunk.com/Documentation/Splunk/9.4.1/RESTREF/RESTcluster#cluster.2Fmanager.2Fhealth for more info on all the fields.
You could also check:
| rest /services/cluster/manager/info| active_bundle | Provides information about the active bundle for this manager. |
| bundle_creation_time_on_manager | The time, in epoch seconds, when the bundle was created on the manager. |
| bundle_validation_errors_on_manager | A list of bundle validation errors. |
| bundle_validation_in_progress | Indicates if bundle validation is in progress. |
| bundle_validation_on_manager_succeeded | Indicates whether the manager succeeded validating bundles. |
| data_safety_buckets_to_fix | Lists the buckets to fix for the completion of data safety. |
| gen_commit_buckets_to_fix | The buckets to be fixed before the next generation can be committed. |
| indexing_ready_flag | Indicates if the cluster is ready for indexing. |
| initialized_flag | Indicates if the cluster is initialized. |
| label | The name for the manager. Displayed in the Splunk Web manager page. |
| latest_bundle | The most recent information reflecting any changes made to the manager-apps configuration bundle. In steady state, this is equal to active_bundle. If it is not equal, then pushing the latest bundle to all peers is in process (or needs to be started). |
| maintenance_mode | Indicates if the cluster is in maintenance mode. |
| reload_bundle_issued | Indicates if the bundle issued is being reloaded. |
| rep_count_buckets_to_fix | Number of buckets to fix on peers. |
| rolling_restart_flag | Indicates whether the manager is restarting the peers in a cluster. |
| search_count_buckets_to_fix | Number of buckets to fix to satisfy the search count. |
| service_ready_flag | Indicates whether the manager is ready to begin servicing, based on whether it is initialized. |
| start_time | Timestamp corresponding to the creation of the manager. |
If you want specific fix-up info check out https://docs.splunk.com/Documentation/Splunk/9.4.1/RESTREF/RESTcluster#cluster.2Fmanager.2Ffixup
🌟Did this answer help you? If so, please consider:
- Adding kudos to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@livehybrid I ran the
| rest /services/cluster/manager/health
But while CM was down at that time also am getting value 1 but it should show 0 .
As I need to create a Alert for this but am not getting the correct output
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
