Splunk Enterprise

Rebalance primaries not working ?

agneticdk
Path Finder

Hi guys

I run the data rebalance (also tried the REST on the master), for primary rebalancing. As described here: http://docs.splunk.com/Documentation/Splunk/7.1.2/Indexer/Rebalancethecluster

But nothing happens. The data is balanced alright, but in my 2 indexer node cluster, only one returns my results for all data (yes it is over several buckets)

The issue here is that I had only data flowing to one indexer. Then I got the other operating, so all db_ buckets on 01 and all rb_ buckets on 02.

I thought that primary rebalancing would make it so that it would balance primaries between indexer 01 and 02 ? So I can get both indexers to return search data to the search head.

I get this in splunkd on the master:
08-03-2018 09:40:16.097 +0200 INFO CMMaster - scheduled rebalance primaries

And then nothing happens.

Am I missing something here ?

Thank you
André

Tags (1)
0 Karma

DalJeanis
Legend

This problem can happen if the buckets on the original indexer were created on a lone indexer that was not part of a cluster. (You can have a cluster of one, which avoids this issue, but most people don't set that up originally.)

Unclustered buckets have a slightly different naming convention to clustered buckets, and therefore aren't treated the same way during rebalancing. (I'm actually surprised there are rb_buckets for those on the other indexer, which makes me wonder what else is going on.)

Here's the naming conventions from this page ... https://docs.splunk.com/Documentation/Splunk/7.0.4/Indexer/HowSplunkstoresindexes

 For non-clustered buckets: db_<newest_time>_<oldest_time>_<localid>
 For clustered original bucket copies: db_<newest_time>_<oldest_time>_<localid>_<guid>
 For clustered replicated bucket copies: rb_<newest_time>_<oldest_time>_<localid>_<guid>

So, first check to see if the older buckets match the non-clustered naming convention, in which case they wouldn't be subject to the clustered control.

If they ARE in the clustered naming convention, and if you have them set to 2/2, there should be searchable copies on both indexers, and the primary rebalance would then not really do anything, because all of them would be searchable and you'd only have to talk to one indexer to get that data. So, in that case, try setting it back to 1/2 and then doing your primary rebalance, and see if that fixes it.

0 Karma

agneticdk
Path Finder

Well, it was a part of the cluster, and has the GUID in the bucket directory names. So that was not the issue.

The cluster was created with two indexers. One indexer (lets call that indexer 2) needed to be reinstalled, so all data was sent to indexer 1.

After the reinstall of indexer 2, which took several days, all the db buckets on indexer 1 made an rb on indexer 2. So the clustering works fine.

But when searching that data only indexer 1 returned results because all primaries were on indexer 1. Rebalance primaries, I would expect at least some of the rb buckets to be chosen as primary. But not even one bucket was chosen.

Now that the cluster is operating on two indexers, moving forward, data is evenly distributed between the indexers, so both create db buckets. And hence both indexers have about half primaries.

So it is not a problem for new data. I was just a bit dissapointed that the rebalance primaries on the old data did not work.

0 Karma

deepashri_123
Motivator

Hey@agneticdk,

What is the replication factor and search factor that you are using ?

The doc says "To achieve primary rebalancing, the master reassigns the primary state from existing bucket copies to searchable copies of the same buckets on other peers" for this condition you need to have searchable copies on other indexer.
Can you check this?

0 Karma

agneticdk
Path Finder

It is 2 for both. And moving forward I get balanced primaries, as data is pouring in to both indexers.

But I thought, that after having a lot of data going to indexer 01, and then adding my 02, and after replication and search factor are met, that I could give it a "primary rebalance" so that some of the rb buckets on 02 could help do some work.

Moving forward I have balanced data and primaries as both indexers now gets data directly from the forwarders, and all is good. Just wondering why the balance primaries didn't do anything.

0 Karma

boz_8058
Explorer

I also have this problem, any further updates to this?

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...