Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does not meet: primacy & sf & rf

blanky
Explorer
‎03-17-2025 11:52 PM

There was a time when the indexer server shut down unexpectedly, 

And I've been struggle with indexer clustering rf & sf were doesn't meet.

Every index are satisfied with rf & sf, but only one index doesn't meet sf & rf

 

I have tried roll / resync / rolling restart in the Master node, but it doesn't work.

 

I'm trying to find the error bucket and remove it from the CLI environment, and restart the cluster.

Is it right solution to solve this problem?? 
Or Suggest me the better way to solve it. please

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-17-2025 11:55 PM

@blanky 

If the RF and SF are not met then everything is not fine with your indexers.  Until the RF is met a failure of an indexer could result in data loss.

Since it looks like all indexers are up, it should just be a matter of waiting for buckets to be replicated.

Check to see if any buckets are stuck in fixup tasks? If so, resolve issue.

indexer clustering > Indexes > Bucket Status

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

View solution in original post

Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-18-2025 12:22 AM

@blanky 

I kindly request you to raise a support ticket for further troubleshooting. You may refer to the details below if they are helpful.

Search Factor and Replication Factor is not met on Cluster Manager | Splunk

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-18-2025 12:00 AM

@blanky 

You can run below search on your cluster master to get a list of bucket that have status="bucket hasn't rolled yet"

| rest splunk_server=local /services/cluster/master/fixup level=replication_factor 
| table title, latest.reason
| rename latest.reason AS LatestReason
| rename totle AS bucketID
| regex LatestReason="bucket hasn't rolled yet" | table buckekID

Once you got the bucketId, simple run below command on your Cluster Master will roll the bucket.

curl -k -u admin:changme https://localhost:8089/services/cluster/master/control/control/roll-hot-buckets -d "bucket_id=<BUCIET_ID>”

For example,


curl -k -u admin:changeme https://localhost:8089/services/cluster/master/control/control/roll-hot-buckets -d "bucket_id=_internal~4520~11111111-1111-1111-1111-111111111111”

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-17-2025 11:58 PM

@blanky 

look at the cluster master’s logs (splunkd.log) for errors related to the problematic index.
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution
Solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-17-2025 11:55 PM

@blanky 

If the RF and SF are not met then everything is not fine with your indexers.  Until the RF is met a failure of an indexer could result in data loss.

Since it looks like all indexers are up, it should just be a matter of waiting for buckets to be replicated.

Check to see if any buckets are stuck in fixup tasks? If so, resolve issue.

indexer clustering > Indexes > Bucket Status

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Solved! Jump to solution

blanky
Explorer
‎03-18-2025 12:01 AM

bucket status is "Waiting 'target_wait_time' before replicating buckt".

but, i've been waiting for a week for replicating. but it doesn't changed.

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-18-2025 12:05 AM

@blanky 

If the bucket status is stuck on "Waiting 'target_wait_time' before replicating bucket" for a week, that’s a clear sign something’s gone wrong in your indexer clustering setup.
 
Ensure there are no network issues between the indexers. Network problems can impede bucket replication.
 
Check this documentation for more information: Bucket replication issues - Splunk Documentation 
 
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

blanky
Explorer
‎03-19-2025 10:52 PM

Thank you for your support.

I found a error bucket in the bucket state, removed it directly from the CLI environment, and rebooted it to fix the problem.
 
And the rf & sf met finally. Bucket with error was not created in folder form, but in file form.
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...