Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

data durability search factor not met

KhalidAlharthi
Engager
‎05-01-2024 11:00 PM

i have a problem in the indexer cluster master 

i got error from 1 week ago which is red color saying there is a data durability .

 

KhalidAlharthi_0-1714629508955.png

 

and this photo for indexer clustring from the cluster master

KhalidAlharthi_1-1714629553899.png

 

and this from inside 1 index 

KhalidAlharthi_2-1714629582186.png

 

any help ?

Labels (1)
Labels
0 Karma
Reply

tej57
Communicator
‎05-03-2024 01:27 AM

Additionally, you can also try rolling the bucket manually as mentioned in the reason. The SF isn't met because it needs the bucket to be rolled. Click on the Actions drop down and roll the bucket. This should also help you fix the SF/RF not met issue without any downtime.

 

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.

0 Karma
Reply

KhalidAlharthi
Engager
‎05-01-2024 11:21 PM

@deepakc  will this affect any data cuz it's production env .

0 Karma
Reply

deepakc
Builder
‎05-02-2024 12:54 AM

Providing there are no issues, a rolling restart is OK to perform. Its best to do this when it's least busy or have maintaince Window for your BAU operations.

A rolling restart performs a phased restart of all peer nodes, so that the indexer cluster as a whole can continue to perform its function during the restart process and data should be sent to the other indexers, whilst one is being restarted. There a number of checks it perfoms so can take a while which depends on your architecture.

First check the status, you can use the manager GUI or CLI
/opt/splunk/bin/splunk show cluster-status --verbose

Restart from the GUI or use the CLI
/opt/splunk/bin/splunk rolling-restart cluster-peers



0 Karma
Reply

deepakc
Builder
‎05-01-2024 11:20 PM

Worth trying a rolling restart on the cluster

https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Userollingrestart

0 Karma
Reply

KhalidAlharthi
Engager
a month ago

i did a rolling restart and the issue still persist also another issue comes out 

 

KhalidAlharthi_0-1716189754624.png

 

0 Karma
Reply

deepakc
Builder
a month ago

Those vmware-vclogs are creating lots small of buckets(folders) - this happens when the data- onboarding has is incorrect - timestamps or formatting, I would look at those logs and ensure you have applied proper data hygine with the correct TA

https://docs.splunk.com/Documentation/VMW/4.0.4/Installation/CollectVMwarevCenterServerLinuxApplianc... 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...