Splunk Enterprise

Data Rebalancing vs Roll or Resync - What is best to do for "Search Factor is Not Met" and "Replication Factor is Not M"

robertlynch2020
Influencer

Hi

We are getting the following error message, I think I have a few options, but I am not sure what is the best.

I have read this but still not sure what to do.

https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Anomalousbuckets

robertlynch2020_0-1684753106428.png

What are the pros and cons of each option?

robertlynch2020_1-1684753137796.png

Or do I run a data rebalancing? On one Index, in this case, its a small index, so I should finish quickly...

robertlynch2020_2-1684753268953.png

@pravin 

 

Labels (1)
0 Karma
1 Solution

tej57
Contributor

Hey @robertlynch2020 ,

Both options are completely different for their use case. If SF/RF are not met, you should first identify the reason for not being met, and based on the reason you can decide if the roll/resync of bucket operation will help you achieve the cluster stability or not.

 

On the other hand, data rebalance is something that you would perform when the bucket distribution between the peers is uneven on a larger scale.  For an instance, consider an indexer cluster of 3 peers with bucket distribution of 100, 150, and 1000 buckets on each peer. In this case, you would want to perform the data rebalance activity.

 

---

If the above answer helps, Karma is appreciated..!! 🙂

View solution in original post

tej57
Contributor

Restart could be responsible for this message. You can try resyncing the bucket and it should resolve the issue without downtime.

0 Karma

tej57
Contributor

Hey @robertlynch2020 ,

Both options are completely different for their use case. If SF/RF are not met, you should first identify the reason for not being met, and based on the reason you can decide if the roll/resync of bucket operation will help you achieve the cluster stability or not.

 

On the other hand, data rebalance is something that you would perform when the bucket distribution between the peers is uneven on a larger scale.  For an instance, consider an indexer cluster of 3 peers with bucket distribution of 100, 150, and 1000 buckets on each peer. In this case, you would want to perform the data rebalance activity.

 

---

If the above answer helps, Karma is appreciated..!! 🙂

robertlynch2020
Influencer

Hi

 

Thanks for the replay.

How do I find the reason for this happening? 

robertlynch2020_0-1684852958054.png

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

maybe this query https://community.splunk.com/t5/Getting-Data-In/How-to-get-list-of-buckets-which-are-having-issues-i... help you to found real reason?

Common reason for that fixup task is that bucket hasn't rolled yet to warm, but if I recall right then the message was different? But as @tej57 said you could try to rolling restart for your cluster or just use REST call to roll hot to warm this individual bucket.

Anyhow looking that bucket from _internal index you should found the real reason why it give that error message to you.

r. Ismo

robertlynch2020
Influencer

Thanks for your help i will look into this one

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...