Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How should I set the con_replication_max_pull_count value for search head cluster members to pull configuration changes from the captain?

ben_leung
Builder
‎02-25-2016 02:51 PM 
WARN  ConfMetrics - single_action=PULL_FROM took wallclock_ms=4610! Consider a lower value of conf_replication_max_pull_count in server.conf on all members

What should I base the value on for conf_replication_max_pull_count? The warning is telling me that the cluster nodes are taking too long to pull configuration changes from the captain. Is my understanding correct?

conf_replication_max_pull_count = <int>
* Controls the maximum number of configuration changes a member will
  replicate from the captain at one time.
* A value of 0 disables any size limits.
* Defaults to 1000.
Reply

splunkIT
Splunk Employee
Splunk Employee
‎03-23-2016 06:05 PM

Unless advised by Support, it's probably not a good idea to modify the conf_replication_max_pull_count setting.

The WARN itself is not necessarily a problem, unless it corresponds to slow UI response times and/or general system problems.

In general, note that this message is based on wallclock time. That means any performance problem on the system – e.g. memory pressure or contention for CPU – can cause this WARN. It isn't always a problem with the configuration replication workload itself.

If the WARN message corresponds to slow UI response times and/or general system problems, then please contact Support and provide the following artifacts for further analysis:

1.) Collect new diags from captain and from at least one of the member nodes
2.) On each of the search heads, please take of backup of the latest bundle file under var/run/splunk/snapshot to a temporary directory, and provide them as well

0 Karma
Reply

splunkIT
Splunk Employee
Splunk Employee
‎02-26-2016 10:39 AM

What is your cluster's ref factor?

0 Karma
Reply

ben_leung
Builder
‎02-26-2016 10:51 AM

replication_factor = 1

but that is only for replication of search artifacts

The WARN message is referring to configuration changes, like knowledge objects changing by users via the UI.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...