https://community.splunk.com/t5/Splunk-Search/Rawdata-may-be-corrupt/m-p/56745#M179889 <P>Hi anyone and everyone,</P> <P>Please could somebody help.</P> <P>I have been using Splunk for the past 2 and a half years.<BR /> I am using Splunk 5 and whenever I install a Splunk update over the existing Splunk 5, Splunk starts up as normal but after I perform a search, all the data will show until it gets to a point where it all vanishes and is replaced by the following.</P> <P>Error in 'databasePartitionPolicy': Failed to read 1 event(s) from rawdata in bucket 'main~178~02C5891B-D87B-444E-9AEC-E9C8E3E45913'. Rawdata may be corrupt, see search.log</P> <P>At this point I just reinstall the previous version as I need the search data.</P> <P>As I know I am going to have to update it for good at some point can any one fix this corruption issue?</P> <P>Kind regards,</P> <P>Paul</P> Thu, 06 Jun 2013 05:53:46 GMT profileaudio 2013-06-06T05:53:46Z https://community.splunk.com/t5/Splunk-Search/Rawdata-may-be-corrupt/m-p/56745#M179889 <P>Hi anyone and everyone,</P> <P>Please could somebody help.</P> <P>I have been using Splunk for the past 2 and a half years.<BR /> I am using Splunk 5 and whenever I install a Splunk update over the existing Splunk 5, Splunk starts up as normal but after I perform a search, all the data will show until it gets to a point where it all vanishes and is replaced by the following.</P> <P>Error in 'databasePartitionPolicy': Failed to read 1 event(s) from rawdata in bucket 'main~178~02C5891B-D87B-444E-9AEC-E9C8E3E45913'. Rawdata may be corrupt, see search.log</P> <P>At this point I just reinstall the previous version as I need the search data.</P> <P>As I know I am going to have to update it for good at some point can any one fix this corruption issue?</P> <P>Kind regards,</P> <P>Paul</P> Thu, 06 Jun 2013 05:53:46 GMT https://community.splunk.com/t5/Splunk-Search/Rawdata-may-be-corrupt/m-p/56745#M179889 profileaudio 2013-06-06T05:53:46Z https://community.splunk.com/t5/Splunk-Search/Rawdata-may-be-corrupt/m-p/56746#M179890 <P>I have this same problem. Any answers?</P> <P>Updated answer:</P> <P>Without a service contract it is very difficult to get answers or a solution to this problem that dont include some data loss.</P> <P>Ultimately, I had to track down the data buckets that had the corrupt data and remove them. Some of my SOS data is also corrupted and i never have gotten around to sorting out which data needs to be gone.</P> Tue, 03 Dec 2013 05:13:03 GMT https://community.splunk.com/t5/Splunk-Search/Rawdata-may-be-corrupt/m-p/56746#M179890 asmithe 2013-12-03T05:13:03Z https://community.splunk.com/t5/Splunk-Search/Rawdata-may-be-corrupt/m-p/56747#M179891 <P>I've run into this before also, and there is a fix IF the actual data in the bucket is not corrupt. If the bucket raw data is truly corrupt, it cannot be fixed.</P> <P>Here is a good place to read about fixing bad buckets:</P> <P><A href="http://wiki.splunk.com/Community:PostCrashFsckRepair">http://wiki.splunk.com/Community:PostCrashFsckRepair</A></P> <P>The repair routine never worked for me, so I use the rebuild instructions. However, sometimes those also fail for me, so modify the instructions a bit...</P> <P>First try the instructions as written. If that fails try this on a copy of the bucket.</P> <P>Remove all files inside the bucket except <CODE>journal.gz</CODE> - don't change the folder structure. Run rebuild on the bucket again, and it will be rebuilt from raw data. If that fails, then the data is likely unrecoverable. </P> Sun, 09 Feb 2014 18:51:19 GMT https://community.splunk.com/t5/Splunk-Search/Rawdata-may-be-corrupt/m-p/56747#M179891 lukejadamec 2014-02-09T18:51:19Z https://community.splunk.com/t5/Splunk-Search/Rawdata-may-be-corrupt/m-p/56748#M179892 <P>I have this same problem. Any answers?</P> Mon, 09 Jul 2018 06:35:36 GMT https://community.splunk.com/t5/Splunk-Search/Rawdata-may-be-corrupt/m-p/56748#M179892 khyoung7410 2018-07-09T06:35:36Z