topic Why is my _thefishbucket always empty? in Splunk Enterprise

Why is my _thefishbucket always empty?

ademargomes — Wed, 18 May 2016 13:35:15 GMT

Hi All,

This is my first post in here. I have installed Splunk Light a few weeks ago and have been using it for reporting on various applications logs.

Today I deployed a few scripts that copy log files to my splunk server which is monitoring the folder and reading the logs.

Now, if a file is copied twice (or more) to the folder, Splunk Light reindexes it and duplicates the data.

I read about it and notice my _thefishbucket was empty no matter what. So i decided that it was because is was the Light version and uninstalled it and reinstalled Splunk but now the Enterprise version.

Still my _thefishbucket index still empty (0 events).

I dont know what to do to turn on the cyclic redundancy checks and it is killing the proposition of using Splunk for logs reporting.

So my questions are: how do I switch it on? and shouldn't it work by default?

Thanks in advance for your help,

Ademar

Re: Why is my _thefishbucket always empty?

somesoni2 — Wed, 18 May 2016 14:13:13 GMT

Can you provide the monitoring configuration (inputs.conf) that you're using for your monitoring?

Re: Why is my _thefishbucket always empty?

ademargomes — Tue, 29 Sep 2020 09:44:25 GMT

Hi there, thanks for your reply. I tried to edit the post but im not alowed. Hope it is alright to have it here:

[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=

[blacklist:$SPLUNK_HOME\etc\auth]

[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal

[monitor://$SPLUNK_HOME\etc\splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[batch://$SPLUNK_HOME\var\spool\splunk]
move_policy = sinkhole
crcSalt =

[batch://$SPLUNK_HOME\var\spool\splunk...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =

[fschange:$SPLUNK_HOME\etc]

poll every 10 minutes

pollPeriod = 600

generate audit events into the audit index, instead of fschange events

signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
start_by_shell = false

[SSL]

default cipher suites that splunk allows. Change this if you wish to increase the security

of SSL connections, or to lower it if you having trouble connecting to splunk.

cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
allowSslRenegotiation = true
sslQuietShutdown = false

Allow only sslv3 and above connections

sslVersions = *,-ssl2

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 10000000
source = wmi
sourcetype = wmi
queue = winparsing
persistentQueueSize=200MB

default single instance modular input restarts

[admon]
interval=60
baseline=0

[MonitorNoHandle]
interval=60

[WinEventLog]
interval=60
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=

[WinNetMon]
interval=60

[WinPrintMon]
interval=60

[WinRegMon]
interval=60
baseline=0

[perfmon]
interval=300

[powershell]
interval=60

[powershell2]
interval=60

Re: Why is my _thefishbucket always empty?

ademargomes — Wed, 18 May 2016 14:36:34 GMT

Hi somesoni2,

I tried both edit the post or send the file content as a comment but neither worked 😞

Re: Why is my _thefishbucket always empty?

ddrillic — Wed, 18 May 2016 14:55:25 GMT

Why do you care about the fishbucket? ; -) after all it's an internal processing space...

what is this fishbucket thing

Re: Why is my _thefishbucket always empty?

ademargomes — Wed, 18 May 2016 15:06:40 GMT

Hi ddrillic, thanks for the comment.

I dont in fact, but the data is getting duplicated as Splunks seems to index same file regardless the cyclic redundancy checks.

Re: Why is my _thefishbucket always empty?

ddrillic — Wed, 18 May 2016 15:33:38 GMT

oh - got it ; -)

Re: Why is my _thefishbucket always empty?

jkat54 — Wed, 18 May 2016 15:38:19 GMT

Try using this in your inputs.conf:

crcSalt =<SOURCE>

Here's documentation on inputs.conf that you can search for "crcSalt" to find more details about it.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/Inputsconf

The fishbucket is auto-magical and I have no clue why its always 0 mb in size etc on the disk. It's constantly used by splunk and data rotates within.