Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data Rebalancing vs Roll or Resync - What is best to do for "Search Factor is Not Met" and "Replication Factor is Not M"

robertlynch2020
Influencer
‎05-22-2023 04:03 AM

Hi

We are getting the following error message, I think I have a few options, but I am not sure what is the best.

I have read this but still not sure what to do.

https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Anomalousbuckets

robertlynch2020_0-1684753106428.png

What are the pros and cons of each option?

robertlynch2020_1-1684753137796.png

Or do I run a data rebalancing? On one Index, in this case, its a small index, so I should finish quickly...

robertlynch2020_2-1684753268953.png

@pravin 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tej57
Builder
‎05-22-2023 08:58 PM

Hey @robertlynch2020 ,

Both options are completely different for their use case. If SF/RF are not met, you should first identify the reason for not being met, and based on the reason you can decide if the roll/resync of bucket operation will help you achieve the cluster stability or not.

 

On the other hand, data rebalance is something that you would perform when the bucket distribution between the peers is uneven on a larger scale.  For an instance, consider an indexer cluster of 3 peers with bucket distribution of 100, 150, and 1000 buckets on each peer. In this case, you would want to perform the data rebalance activity.

 

---

If the above answer helps, Karma is appreciated..!! 🙂

View solution in original post

Reply
Solved! Jump to solution

tej57
Builder
‎05-24-2023 12:05 AM

Restart could be responsible for this message. You can try resyncing the bucket and it should resolve the issue without downtime.

0 Karma
Reply
Solved! Jump to solution
Solution

tej57
Builder
‎05-22-2023 08:58 PM

Hey @robertlynch2020 ,

Both options are completely different for their use case. If SF/RF are not met, you should first identify the reason for not being met, and based on the reason you can decide if the roll/resync of bucket operation will help you achieve the cluster stability or not.

 

On the other hand, data rebalance is something that you would perform when the bucket distribution between the peers is uneven on a larger scale.  For an instance, consider an indexer cluster of 3 peers with bucket distribution of 100, 150, and 1000 buckets on each peer. In this case, you would want to perform the data rebalance activity.

 

---

If the above answer helps, Karma is appreciated..!! 🙂

Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎05-23-2023 07:42 AM

Hi

 

Thanks for the replay.

How do I find the reason for this happening? 

robertlynch2020_0-1684852958054.png

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎05-24-2023 01:25 AM

Hi

maybe this query https://community.splunk.com/t5/Getting-Data-In/How-to-get-list-of-buckets-which-are-having-issues-i... help you to found real reason?

Common reason for that fixup task is that bucket hasn't rolled yet to warm, but if I recall right then the message was different? But as @tej57 said you could try to rolling restart for your cluster or just use REST call to roll hot to warm this individual bucket.

Anyhow looking that bucket from _internal index you should found the real reason why it give that error message to you.

r. Ismo

Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎05-26-2023 01:30 AM

Thanks for your help i will look into this one

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...