Hi @rselv21 The defaults for Replication Factor (RF) and Search Factor (SF) are 3 and 2 respectively, this essentially allows for 1 node to be out of service without a loss of functionality. If a s...
See more...
Hi @rselv21 The defaults for Replication Factor (RF) and Search Factor (SF) are 3 and 2 respectively, this essentially allows for 1 node to be out of service without a loss of functionality. If a secondary node also becomes unavailable then some buckets may not have any searchable copies available to search. Although non-searchable copies of the buckets can be made searchable, doing so takes time As others have said, its basically a trade off between risk of data loss (RF), risk of lowered availability (SF) and storage availability (Cost). The rule of thumb for sizing is that a searchable replica bucket uses approx 35% of the original raw ingest size, and a non-searchable bucket uses approx 15% of the raw ingest size, so a RF:SF of 3:2 uses approx 85% of the raw ingested volume per day. Personally, the defaults are pretty good for the majority, its only when you're limited by resource, OR have a large amount of searches running across a much larger indexer cluster that I would adjust these, as distributing more copies across a larger cluster can improve performance by ensuring there are no hotspots of data. Check out the following docs for some good background on this: https://docs.splunk.com/Documentation/Splunk/9.4.2/Indexer/Thesearchfactor Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing