Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Indexer Menu 7.2.3

halbeisendv
Path Finder
‎08-05-2019 09:45 AM

What is the significance of searchable copies and replicated copies flapping between green and gray on the indexer cluster. Thank you for your assistance.

alt text

Preview file
28 KB
0 Karma
Reply

Azeemering
Builder
‎08-06-2019 05:51 AM

From Splunk docs:

Searchable Data Copies: The number of complete searchable copies of the index that the cluster has.
Replicated Data Copies: The number of copies of the index that the cluster has. Each copy must be complete, with no buckets missing.

It shows that the moment you have one replicated data copy which becomes one searchable data copy, this data is searchable.

You can look for more details about the actual number of copies and buckets using this search:

| rest splunk_server_group=dmc_group_cluster_master splunk_server_group=dmc_indexerclustergroup* /services/cluster/master/indexes | fields title, is_searchable, replicated_copies_tracker*, searchable_copies_tracker*, num_buckets, index_size | rename replicated_copies_tracker.*.* as rp**, searchable_copies_tracker.*.* as sb** | eval replicated_data_copies = "" | foreach rp*actual_copies_per_slot [eval replicated_data_copies = replicated_data_copies." ".rp<<MATCHSTR>>actual_copies_per_slot."/".rp<<MATCHSTR>>expected_total_per_slot] | makemv replicated_data_copies | eval searchable_data_copies = "" | foreach sb*actual_copies_per_slot [eval searchable_data_copies = searchable_data_copies." ".sb<<MATCHSTR>>actual_copies_per_slot."/".sb<<MATCHSTR>>expected_total_per_slot] | makemv searchable_data_copies | eval is_searchable = if((is_searchable == 1) or (is_searchable == "1"), "Yes", "No") | eval index_size = round(index_size / 1024 / 1024 / 1024, 2)." GB" | fields title, is_searchable, searchable_data_copies, replicated_data_copies, num_buckets, index_size | search title="***" | search is_searchable="*" | rename title as "Index Name", is_searchable as "Fully Searchable", searchable_data_copies as "Searchable Data Copies", replicated_data_copies as "Replicated Data Copies", num_buckets as Buckets, index_size as "Cumulative Raw Data Size"
0 Karma
Reply
Get Updates on the Splunk Community!

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives

Splunk Observability Cloud continues to evolve, empowering engineering and operations teams with advanced ...