In a scenario we will be using a Splunk cluster with 3 indexers.
The cluster will have a replication factor of 3.
If I configure the search factor to be 3 (instead of the default 2) will this increase my search / reports times because all 3 indexers can participate in the search instead of 2 them only participating? or do the searches not actually get split up like that?
Thanks,
Cam
Thank you I was just about to update and answer my own question.
To provide some references for people:
"A primary copy of a bucket is the searchable copy that participates in a search. A valid cluster has exactly one primary copy of each bucket. That way, one and only one copy of each bucket gets searched." [1]
and
"To ensure that exactly one copy of each bucket participates in a search, one searchable copy of each bucket in the cluster is designated as primary. Searches occur only across the set of primary copies" [2]
[1] http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/Bucketsandclusters
[2] http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Basicclusterarchitecture
Another thought - ideally there is no search performance left to gain. If your forwarders balance the data between all indexers you already are searching on all indexers with more or less equal shares, given a large enough set of data to crawl through.
no, you only search on a single copy of the bucket at a time.
Increasing the searchfactor will require more indexer to store the replicated copy of the buckets in a searchable state.
So the consequence will be that more cpu/disk space will be used to maintain them ready.
And the goal is to have more indexers to failover for search in case of close consecutive indexers outages.