Deployment Architecture

Need to know about _raft directory on Search Head Cluster Members.

rbal_splunk
Splunk Employee
Splunk Employee

For Search Head Cluster Members splunk has a _raft directory

alt text

What do each of these entries mean?

0 Karma

anaidu_splunk
Splunk Employee
Splunk Employee

RAFT is a Splunk Search Head Cluster Terminology" Raft distributed consensus". The process of Electing the search head captain dynamically is known as RAFT. Auto SH captain failover Elect new captain via RAFT, it is recorded in $SPLUNK_HOME$/var/log/splunk/_raft//log.

This file contains:
**Members register their list of artifacts, running jobs, alerts, and search load statistics to a new captain.
**New captain enables its scheduler and executes fix-ups if needed.

If it is corrupted and a crash occurs follow below doc to troubleshoot.
https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Handleraftissues

sample log in the crash.log -
"what(): error in raft entry file for node term Could not parse raft entry file. Search head clustering: Search head cluster member has a corrupted raft state.
2019-01-08 07:59:43.450 +0000 splunkd started (build a0c72a66db66) "

0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

0001 , 002 .. is the log entries commit ids

metadata1, metadata2 is a rolling record of current captaincy

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...