Splunk Enterprise

data durability search factor not met

KhalidAlharthi
Explorer

i have a problem in the indexer cluster master 

i got error from 1 week ago which is red color saying there is a data durability .

 

KhalidAlharthi_0-1714629508955.png

 

and this photo for indexer clustring from the cluster master

KhalidAlharthi_1-1714629553899.png

 

and this from inside 1 index 

KhalidAlharthi_2-1714629582186.png

 

any help ?

Labels (1)
0 Karma

tej57
Contributor

Additionally, you can also try rolling the bucket manually as mentioned in the reason. The SF isn't met because it needs the bucket to be rolled. Click on the Actions drop down and roll the bucket. This should also help you fix the SF/RF not met issue without any downtime.

 

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.

0 Karma

KhalidAlharthi
Explorer

@deepakc  will this affect any data cuz it's production env .

0 Karma

deepakc
Builder

Providing there are no issues, a rolling restart is OK to perform. Its best to do this when it's least busy or have maintaince Window for your BAU operations.

A rolling restart performs a phased restart of all peer nodes, so that the indexer cluster as a whole can continue to perform its function during the restart process and data should be sent to the other indexers, whilst one is being restarted. There a number of checks it perfoms so can take a while which depends on your architecture.

First check the status, you can use the manager GUI or CLI
/opt/splunk/bin/splunk show cluster-status --verbose

Restart from the GUI or use the CLI
/opt/splunk/bin/splunk rolling-restart cluster-peers



0 Karma

deepakc
Builder

el_pollo_diablo
Engager

This worked for me, i had a Data Durability / Data Searcheable alert after the upgrade to 9.3.0 on Master Cluster

Thanks!

0 Karma

KhalidAlharthi
Explorer

i did a rolling restart and the issue still persist also another issue comes out 

 

KhalidAlharthi_0-1716189754624.png

 

0 Karma

deepakc
Builder

Those vmware-vclogs are creating lots small of buckets(folders) - this happens when the data- onboarding has is incorrect - timestamps or formatting, I would look at those logs and ensure you have applied proper data hygine with the correct TA

https://docs.splunk.com/Documentation/VMW/4.0.4/Installation/CollectVMwarevCenterServerLinuxApplianc... 

0 Karma
Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...