Excess buckets are the result of corrective action taken by the cluster master upon peer node failure to ensure that your configured replication factor is being met in the cluster. Because the cluster master at some point decided that certain buckets need to be replicated to meet your RF/SF, these buckets don't have any naming conventions that 'mark' them as excess buckets, they look like any other bucket. It is the fact that you have more copies of a given bucket than needed to satisfy RF/SF makes them 'excessive'. I strongly advise you to not try and take any manual action without involvement of Splunk support.
If you believe that the UI driven action does not remove all excess buckets AND your cluster is otherwise healthy, i.e. RF/SF are met and all peer nodes are up, please file a case with Splunk support.
... View more
Once a server is put into detention, it is essentially removed from the cluster in terms of bucket replication and rebalancing. So if your search / replication factor is no longer met with these servers in detention, then yes your SF wont be made and you will get these errors.
Manually rebalancing should work assuming you have the requisite number of peers in your site SF/RF. See this doc : http://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Rebalancethecluster
... View more