Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Factor is Not MeT

evinasco08
Explorer
‎02-05-2024 11:00 AM

Good afternoon

I hva e splunk srchitecture:

1 seach 

2 indexers in cluster

1 master node/License Server

1 Moniotoring Console/Deploymen server

2 Heavy forwarders

SF=2
RF=2

I added a new indexer to cluster, after that  tryed to change the RF and SF, both to 3, but when i change the values from splunk web in the master node and restart the instance, th aplatform show me the nex message:

 

Picture4.png 

Picture3.png

then, I did rollabck, return SF=2 and RF=2, and evetrything normal, but the bucket status shows

evinasco08_0-1707159440094.png

I need to change the SF and RF and I need to know if this will fix the iisues with the indexes

Regards

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-05-2024 11:28 AM

Hi @evinasco08,

It may take some time for third indexer get replicated copies from other indexers and make them searchable. Did you wait enough time for this operations to finish? It is normal your search and replication factors are not met because cluster has only two copies of some buckets while migration. You could monitor this process on Bucket Status page. You should have seen a lot of pending buckets. Cluster would be a complete state after these fix-ups completed.

After rollback to RF=2 and SF=2 excess buckets are normal because cluster manager was trying to replicate buckets to match RF=3, SF=3 state, when you rollback these third copies became excess. If you want to keep RF=2, SF=2 you can simply/safely remove excess bucket from Bucket Status page. 

Setting RF and SF equal to indexer count is not a best practice. Because if any of your indexers experience problem or restart your cluster will not be able to reach complete state because missing enough peers. 

I advise keeping RF=2 and SF=2 with 3 indexers. 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-05-2024 03:58 PM

Hi @evinasco08,

You can check this document;

https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Clusterstates

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-05-2024 01:11 PM

Hi @evinasco08 ,

Yes that's normal and correct.

Sorry for my typo, I edited my reply

I advise keeping RF=2 and SF=2 with 3 indexers.  

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

evinasco08
Explorer
‎02-05-2024 02:06 PM

@scelikok last queston, ¿Do you have support documentation where splunk indicate that setting RF and SF equal to indexer count is not a best practice?

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-05-2024 11:28 AM

Hi @evinasco08,

It may take some time for third indexer get replicated copies from other indexers and make them searchable. Did you wait enough time for this operations to finish? It is normal your search and replication factors are not met because cluster has only two copies of some buckets while migration. You could monitor this process on Bucket Status page. You should have seen a lot of pending buckets. Cluster would be a complete state after these fix-ups completed.

After rollback to RF=2 and SF=2 excess buckets are normal because cluster manager was trying to replicate buckets to match RF=3, SF=3 state, when you rollback these third copies became excess. If you want to keep RF=2, SF=2 you can simply/safely remove excess bucket from Bucket Status page. 

Setting RF and SF equal to indexer count is not a best practice. Because if any of your indexers experience problem or restart your cluster will not be able to reach complete state because missing enough peers. 

I advise keeping RF=2 and SF=2 with 3 indexers. 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

evinasco08
Explorer
‎02-05-2024 01:00 PM

@scelikok thank you,

Then,  is it normal that the RF and SF appears like "is Not MeT" untill finish to replicate the buckets?, thus, the master node would show "Search Factor is Met" and " Replication Factor is Met". that is correct? besides, you advise to me apply  RF=2 and SF=3, but the replication Factor cannot be less than Search Factor.

 

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...