Splunk Enterprise

data durability search factor not met

KhalidAlharthi
Explorer

i have a problem in the indexer cluster master 

i got error from 1 week ago which is red color saying there is a data durability .

 

KhalidAlharthi_0-1714629508955.png

 

and this photo for indexer clustring from the cluster master

KhalidAlharthi_1-1714629553899.png

 

and this from inside 1 index 

KhalidAlharthi_2-1714629582186.png

 

any help ?

Labels (1)
0 Karma

tej57
Contributor

Additionally, you can also try rolling the bucket manually as mentioned in the reason. The SF isn't met because it needs the bucket to be rolled. Click on the Actions drop down and roll the bucket. This should also help you fix the SF/RF not met issue without any downtime.

 

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.

0 Karma

KhalidAlharthi
Explorer

@deepakc  will this affect any data cuz it's production env .

0 Karma

deepakc
Builder

Providing there are no issues, a rolling restart is OK to perform. Its best to do this when it's least busy or have maintaince Window for your BAU operations.

A rolling restart performs a phased restart of all peer nodes, so that the indexer cluster as a whole can continue to perform its function during the restart process and data should be sent to the other indexers, whilst one is being restarted. There a number of checks it perfoms so can take a while which depends on your architecture.

First check the status, you can use the manager GUI or CLI
/opt/splunk/bin/splunk show cluster-status --verbose

Restart from the GUI or use the CLI
/opt/splunk/bin/splunk rolling-restart cluster-peers



0 Karma

deepakc
Builder

el_pollo_diablo
Engager

This worked for me, i had a Data Durability / Data Searcheable alert after the upgrade to 9.3.0 on Master Cluster

Thanks!

0 Karma

KhalidAlharthi
Explorer

i did a rolling restart and the issue still persist also another issue comes out 

 

KhalidAlharthi_0-1716189754624.png

 

0 Karma

deepakc
Builder

Those vmware-vclogs are creating lots small of buckets(folders) - this happens when the data- onboarding has is incorrect - timestamps or formatting, I would look at those logs and ensure you have applied proper data hygine with the correct TA

https://docs.splunk.com/Documentation/VMW/4.0.4/Installation/CollectVMwarevCenterServerLinuxApplianc... 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...