We did a linux patching cycle about a month ago. We have a 10 indexer 2 site cluster with 3:3 search and replication. I put the cluster into maintenance mode, stop splunk on an indexer, patch, reboot, wait until the indexer is up on the cluster manager and then repeat the cycle for the remainder of the indexers. Usually after the patching is done the bucket fixup tasks are a small amount and rapidly resolve.
This past patching cycle we had a over 10k that are slowly resolving (maybe 30 a day). If I resync a bucket that number immediately drops by the amount I resync. I can only do 20 at a time because the cluster manager only allows 20 per page. That approach is silly with having to do that 10k times (currently sitting at 7k).
I saw a community post about doing a rolling restart of the cluster will resolve this issue but it didn't. I did notice that there is 18 indexes (out of 126) that have access buckets. Wasn't sure if that affects anything. Is there a way to resync buckets more easily? Maybe 100 at a time without having to click through prompts?
... View more