I am still confused. From my understanding, in an SHC, if I configure a member to share a datamodel from another member (Same Cluster), will the size of the datamodel summaries stored on the indexers also be reduced? ... View more

What is it you are trying to achieve here? I would just like to know the impact in case I encounter a KV Store status failure. How can I identify which apps, such as ES, might be affected If I remove or clear kvstore data? ... View more

@isoutamo Thanks you so much, How can I estimate the time required for replicating the data? ... View more

From Step No.3 Install new Indexer nodes Please correct me if I'm wrong, The overall step that you mention are 1. Add all new Indexers to the same cluster. 2. Increase the replicate data between Indexer.   #CM [clustering] max_peer_build_load = 20 (default 2) max_peer_rep_load = 50 (default 5)   3. Rebalance the data to reduce the bucket size on the old indexer and make copies of the data to the new indexer. 4. Put one of the old indexers in manual detention to prevent data replication to the old indexer   !!Do this one by one splunk edit cluster-config -manual_detention on   5. Use the splunk offline --enforce-counts command to stop the indexer and force the Cluster Master to copy the remaining primary buckets to the new indexer.   !!Do this one by one splunk offline --enforce-counts   6. Remove the old indexer from cluster.   !!Do this one by one splunk remove cluster-peers -peers <peer_id>   ... View more

Try to change the schedule  From  schedule = 0 6 * * * To  schedule = 1800   ... View more