topic Splunk offline command has been running for days on several indexers. in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Splunk-offline-command-has-been-running-for-days-on-several/m-p/467263#M80533 <P>I have a similar situation as the question <A href="https://answers.splunk.com/answers/518111/splunk-offline-command-running-for-hours.html" target="_blank">"Splunk Offline command - running for hours"</A> however in my case I have several indexers which have been running the <STRONG>offline --enforce-counts</STRONG> command for days. One was started last Friday so it's been a week for it.</P> <P>When I check <CODE>splunkd.log</CODE> I can still see it copying buckets. For example,</P> <PRE><CODE>05-29-2020 14:02:01.562 +0000 INFO DatabaseDirectoryManager - idx=main Writing a bucket manifest in hotWarmPath='/opt/splunk/var/lib/splunk/main/db', pendingBucketUpdates=1 . Reason='Updating manifest: bucketUpdates=1' </CODE></PRE> <P>There are also a huge number of entries like this:</P> <PRE><CODE>05-29-2020 14:45:05.923 +0000 WARN AdminHandler:AuthenticationHandler - Denied session token for user: splunk-system-user (In splunkd.log 1911 entries for 1st host, 1256 entries for 2nd host, 1277 for 3rd host that has been running for a week, 1226 entries for 4th host) 05-29-2020 14:45:53.476 +0000 ERROR SearchProcessRunner - launcher_thread=0 runSearch exception: PreforkedSearchProcessException: can't create preforked search process: Cannot send after transport endpoint shutdown ( In splunkd.log 19962 entries for 1st host, 20273 entries for 2nd host, 1829 for 3rd host that has been running for a week, 19101 entries for 4th host) </CODE></PRE> <P>And on the one where it's been running for a week:</P> <PRE><CODE>05-29-2020 14:43:33.464 +0000 WARN DistBundleRestHandler - Failed to find data processor for endpoint=full-bundle 05-29-2020 14:44:26.520 +0000 WARN ReplicatedDataProcessorManager - Failed to find processor with key=delta-bundle since no such entry exists. 05-29-2020 14:44:26.520 +0000 WARN BundleDeltaHandler - Failed to find data processor for endpoint=delta-bundle (3092 total entries for both in splunkd.log) </CODE></PRE> <P>I see in the master Indexer Clustering dashboard that they are still decommissioning (although I don't know what the <STRONG>Buckets entry</STRONG> indicates. The number of buckets left to replicate?)</P> <P>All the indexers are running version 8.0.1 with the exception of a handful in the cluster that are not being decommissioned that have been upgraded to 8.0.3. The Master indexer is still 8.0.1</P> <P>What do I do to speed this up? There was no solution posted in the other question.</P> Sun, 07 Jun 2020 01:03:28 GMT scottj1y 2020-06-07T01:03:28Z Splunk offline command has been running for days on several indexers. https://community.splunk.com/t5/Getting-Data-In/Splunk-offline-command-has-been-running-for-days-on-several/m-p/467263#M80533 <P>I have a similar situation as the question <A href="https://answers.splunk.com/answers/518111/splunk-offline-command-running-for-hours.html" target="_blank">"Splunk Offline command - running for hours"</A> however in my case I have several indexers which have been running the <STRONG>offline --enforce-counts</STRONG> command for days. One was started last Friday so it's been a week for it.</P> <P>When I check <CODE>splunkd.log</CODE> I can still see it copying buckets. For example,</P> <PRE><CODE>05-29-2020 14:02:01.562 +0000 INFO DatabaseDirectoryManager - idx=main Writing a bucket manifest in hotWarmPath='/opt/splunk/var/lib/splunk/main/db', pendingBucketUpdates=1 . Reason='Updating manifest: bucketUpdates=1' </CODE></PRE> <P>There are also a huge number of entries like this:</P> <PRE><CODE>05-29-2020 14:45:05.923 +0000 WARN AdminHandler:AuthenticationHandler - Denied session token for user: splunk-system-user (In splunkd.log 1911 entries for 1st host, 1256 entries for 2nd host, 1277 for 3rd host that has been running for a week, 1226 entries for 4th host) 05-29-2020 14:45:53.476 +0000 ERROR SearchProcessRunner - launcher_thread=0 runSearch exception: PreforkedSearchProcessException: can't create preforked search process: Cannot send after transport endpoint shutdown ( In splunkd.log 19962 entries for 1st host, 20273 entries for 2nd host, 1829 for 3rd host that has been running for a week, 19101 entries for 4th host) </CODE></PRE> <P>And on the one where it's been running for a week:</P> <PRE><CODE>05-29-2020 14:43:33.464 +0000 WARN DistBundleRestHandler - Failed to find data processor for endpoint=full-bundle 05-29-2020 14:44:26.520 +0000 WARN ReplicatedDataProcessorManager - Failed to find processor with key=delta-bundle since no such entry exists. 05-29-2020 14:44:26.520 +0000 WARN BundleDeltaHandler - Failed to find data processor for endpoint=delta-bundle (3092 total entries for both in splunkd.log) </CODE></PRE> <P>I see in the master Indexer Clustering dashboard that they are still decommissioning (although I don't know what the <STRONG>Buckets entry</STRONG> indicates. The number of buckets left to replicate?)</P> <P>All the indexers are running version 8.0.1 with the exception of a handful in the cluster that are not being decommissioned that have been upgraded to 8.0.3. The Master indexer is still 8.0.1</P> <P>What do I do to speed this up? There was no solution posted in the other question.</P> Sun, 07 Jun 2020 01:03:28 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-offline-command-has-been-running-for-days-on-several/m-p/467263#M80533 scottj1y 2020-06-07T01:03:28Z