https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281799#M10687 <P>Splunk will perform bucket fixups periodically and find the bucket no longer exists. At which time it will log a message or two or three and then remove the bucket from the manifest.</P> <P>See <CODE>index=_internal log_level=warn* OR log_level=err*</CODE>. The events should occur in less than 24 hours after the manual removal. Searches will just have "holes" in the data if a searchable copy of the bucket doesnt exist.</P> Mon, 06 Jun 2016 14:59:40 GMT jkat54 2016-06-06T14:59:40Z https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281798#M10686 <P>I am doing a simple recovery test and deleted some warm buckets, but Splunk doesn't seem to even realize anything is wrong. Is this normal?</P> Mon, 06 Jun 2016 14:56:54 GMT https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281798#M10686 lycollicott 2016-06-06T14:56:54Z https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281799#M10687 <P>Splunk will perform bucket fixups periodically and find the bucket no longer exists. At which time it will log a message or two or three and then remove the bucket from the manifest.</P> <P>See <CODE>index=_internal log_level=warn* OR log_level=err*</CODE>. The events should occur in less than 24 hours after the manual removal. Searches will just have "holes" in the data if a searchable copy of the bucket doesnt exist.</P> Mon, 06 Jun 2016 14:59:40 GMT https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281799#M10687 jkat54 2016-06-06T14:59:40Z https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281800#M10688 <P>That search was the first thing I checked, but it had nothing about these buckets.</P> Mon, 06 Jun 2016 16:27:35 GMT https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281800#M10688 lycollicott 2016-06-06T16:27:35Z https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281801#M10689 <P>Probably has to with the log verbosity on BucketMover or something. I'd file a low priority ticket with support if you're THAT interested.</P> Mon, 06 Jun 2016 16:31:03 GMT https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281801#M10689 jkat54 2016-06-06T16:31:03Z https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281802#M10690 <P>What does |dbinspect index= return for these buckets? Splunk should eventually log an error message since there should be metadata associated with the deleted buckets, but you will have data gaps since the raw data is deleted.</P> Mon, 06 Jun 2016 17:46:55 GMT https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281802#M10690 splunk_force_as 2016-06-06T17:46:55Z https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281803#M10691 <P>I deleted bucket ids 32-34 and 37-39 and dbinspect only shows results for 35-36, so it is still unaware that anything is missing.</P> Mon, 06 Jun 2016 17:58:57 GMT https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281803#M10691 lycollicott 2016-06-06T17:58:57Z https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281804#M10692 <P>From Splunk Support:</P> <P>"Splunk assumes that you are doing this on-purpose and therefore would not send any WARN/ERROR events.</P> <P>The only reason you would alert is if a bucket were corrupt or never made it. Once it was there and you deleted it, from Splunk's perspective, everything was functioning."</P> <P>That doesn't seem like a sound process to me, but that's the explanation thus far. </P> <P><STRONG>UPDATE</STRONG> June 14: I've done some more testing and I just can't accept the outcome. Splunk is essentially a database and as an old <BR /> Oracle DBA I would expect/assume that it has some self-awareness of its integrity. I'm going to ask for this to be considered a defect.</P> <P><STRONG>UPDATE</STRONG> June 30: Support is going to perform some testing and submit an enhancement request.</P> <P><STRONG>UPDATE</STRONG> July 06: Support submitted enhancement request SPL-123789</P> Tue, 07 Jun 2016 19:29:50 GMT https://community.splunk.com/t5/Deployment-Architecture/Does-Splunk-recognize-when-buckets-are-deleted/m-p/281804#M10692 lycollicott 2016-06-07T19:29:50Z