A safe first step is to verify that the group attribute in your IdP (such as AD/Okta/Azure AD) exactly matches what is configured in Splunk’s SAML group mapping. Small differences like case sensitivity or spacing can cause issues. You can also try the Reload SAML Configuration option, it simply refreshes the configuration and mappings without disrupting service, so it is generally safe to use when troubleshooting. ... View more

That's true. Then you must remember that rebalancing just count number of buckets when it does its work. Because buckets can have different sizes the disk space usage is not rebalanced just count of those. In rebalancing there are two options: rebalance primaries rebalance buckets 1st one is done automatically in quite many situations e.g. rolling restart etc. 2nd one is always manual work which target it set to 90% level. What I have done by myself is modify that %-level. Depending on environment I have used e.g. 95-99% to get better distribution of buckets over nodes. After you have gotten suitable level, you should adjust that % level back to 90%. ... View more