Getting Data In

In a two site indexer cluster, how to resolve when one site is down for maintenance but data is not being indexed at the other site?

sat94541
Communicator

I have Splunk Version 6.3.3 and it has two Sites. Site1 has two indexers and Site 2 has two indexers.
For maintenance purpose they shutdown peers in Site 2 and found that after that the indexer stopped indexing.
Many things were attempted to resolve the issue like restarting Cluster master and Cluster peers, but the issue didn’t resolve

0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

On the Cluster Master Navigate to Setting> Indexing Cluster and found that “Replication Factor” and “search Factor” was not met.
Navigating to Setting> Indexing Cluster > Indexers>Bucket Status and notice many bucket in Fixup but without Current Status.
This was found to be empty – as per Splunk Support Normally Splunk will tell you the reason about Bucket in Fixup task. In this case since we had restarted the Cluster Master it was not showing the any status

Support helped us figure out that issue is when you have multi-site – you cannot shut down one site and expect SF and SF to meet.
And it was suggested to (plunk set indexing-ready) as per https://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Restartindexing

This resolved the issue and made data searchable although Search Factor is not met and will eventually meet once site comes back.
In addition, after setting “splunk set indexing-ready”, the status filed started to show that SF is not met as site 2 is down.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!