https://community.splunk.com/t5/Splunk-Search/How-do-I-resolve-this-error-in-index-internal/m-p/641191#M222145 <P>Error #1 should not reference the search log since there is nothing in the message that tells us what search is reported the error. You can ignore that suggestion.&nbsp; You can, however, use the fsck command to attempt to repair the file.</P><P>The other two error messages do not provide enough information to diagnose or fix anything.&nbsp; Unless there are other messages that offer more context or information then you can ignore the error.</P><P>&nbsp;</P> Mon, 24 Apr 2023 20:05:56 GMT richgalloway 2023-04-24T20:05:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-resolve-this-error-in-index-internal/m-p/641132#M222123 <P>Hello All,</P> <P>I am searching for corrupt data in Splunk, and thus executed the below query: -</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=_internal sourcetype=splunk_search_messages "corrupt" OR "corrupted"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I got the below errors: -</P> <P><STRONG>Error 1: -</STRONG></P> <P>message=[wd*****] [subsearch]: Failed to read size=4 event(s) from rawdata in bucket='dummyIndex~119~8X88XXY-X8XX-88X8-888X-X88X88XX8888' path='/u01/ovz/data/dummyIndex/db/db_1611661166_1611222333_111_8X88XX8X-X8XX-88X8-888X-X88X88XX8888. Rawdata may be corrupt, see search.log.&nbsp; Results may be incomplete!</P> <P><STRONG>Error 2: -</STRONG></P> <P>01-01-2023 07:01:01.098 ERROR SRSSerializer [12729 RemoteTimelineReadThread] - cannot read file magic -probably corrupt</P> <P><STRONG>Error 3: -&nbsp;</STRONG></P> <P>Error decompressing zstd block: Corrupted block detected</P> <P>I need your help to understand and get details about the above errors, Error 1, Error 2 and Error 3.</P> <P>In Error 1, it states to check search.log. Thus, it would be helpful if you can share how to fetch the relevant information from the file.&nbsp;</P> <P>So far for error 1, I found&nbsp;<A href="https://community.splunk.com/t5/Splunk-Search/Searchquery-error/m-p/509508" target="_blank" rel="noopener">https://community.splunk.com/t5/Splunk-Search/Searchquery-error/m-p/509508</A>&nbsp;which states that file may be corrupt.</P> <P>Any information about the above two errors will be very helpful.</P> <P>Thank you</P> Mon, 24 Apr 2023 19:03:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-resolve-this-error-in-index-internal/m-p/641132#M222123 Taruchit 2023-04-24T19:03:45Z https://community.splunk.com/t5/Splunk-Search/How-do-I-resolve-this-error-in-index-internal/m-p/641179#M222139 <P>For error 1, I fetched following details on&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.4/Indexer/HowSplunkstoresindexes:" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.4/Indexer/HowSplunkstoresindexes:</A>&nbsp;-</P><P><SPAN>db_1611661166_1611222333_111_8X88XX8X-X8XX-88X8-888X-X88X88XX8888</SPAN></P><UL><LI>db: Originating bucket</LI><LI><SPAN>1611661166: Newest time</SPAN></LI><LI><SPAN>1611222333: Oldest time</SPAN></LI><LI><SPAN>111: localid; ID for the bucket</SPAN></LI><LI><SPAN>8X88XX8X-X8XX-88X8-888X-X88X88XX8888: guid; guid of the source peer node</SPAN></LI></UL> Mon, 24 Apr 2023 18:39:30 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-resolve-this-error-in-index-internal/m-p/641179#M222139 Taruchit 2023-04-24T18:39:30Z https://community.splunk.com/t5/Splunk-Search/How-do-I-resolve-this-error-in-index-internal/m-p/641191#M222145 <P>Error #1 should not reference the search log since there is nothing in the message that tells us what search is reported the error. You can ignore that suggestion.&nbsp; You can, however, use the fsck command to attempt to repair the file.</P><P>The other two error messages do not provide enough information to diagnose or fix anything.&nbsp; Unless there are other messages that offer more context or information then you can ignore the error.</P><P>&nbsp;</P> Mon, 24 Apr 2023 20:05:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-resolve-this-error-in-index-internal/m-p/641191#M222145 richgalloway 2023-04-24T20:05:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-resolve-this-error-in-index-internal/m-p/641192#M222146 <P>That is the correct breakdown of a bucket name.</P> Mon, 24 Apr 2023 20:07:02 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-resolve-this-error-in-index-internal/m-p/641192#M222146 richgalloway 2023-04-24T20:07:02Z