Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Does Splunk recognize when buckets are deleted?

lycollicott
Motivator
‎06-06-2016 07:56 AM

I am doing a simple recovery test and deleted some warm buckets, but Splunk doesn't seem to even realize anything is wrong. Is this normal?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lycollicott
Motivator
‎06-07-2016 12:29 PM

From Splunk Support:

"Splunk assumes that you are doing this on-purpose and therefore would not send any WARN/ERROR events.

The only reason you would alert is if a bucket were corrupt or never made it. Once it was there and you deleted it, from Splunk's perspective, everything was functioning."

That doesn't seem like a sound process to me, but that's the explanation thus far.

UPDATE June 14: I've done some more testing and I just can't accept the outcome. Splunk is essentially a database and as an old
Oracle DBA I would expect/assume that it has some self-awareness of its integrity. I'm going to ask for this to be considered a defect.

UPDATE June 30: Support is going to perform some testing and submit an enhancement request.

UPDATE July 06: Support submitted enhancement request SPL-123789

View solution in original post

Reply
Solved! Jump to solution
Solution

lycollicott
Motivator
‎06-07-2016 12:29 PM

From Splunk Support:

"Splunk assumes that you are doing this on-purpose and therefore would not send any WARN/ERROR events.

The only reason you would alert is if a bucket were corrupt or never made it. Once it was there and you deleted it, from Splunk's perspective, everything was functioning."

That doesn't seem like a sound process to me, but that's the explanation thus far.

UPDATE June 14: I've done some more testing and I just can't accept the outcome. Splunk is essentially a database and as an old
Oracle DBA I would expect/assume that it has some self-awareness of its integrity. I'm going to ask for this to be considered a defect.

UPDATE June 30: Support is going to perform some testing and submit an enhancement request.

UPDATE July 06: Support submitted enhancement request SPL-123789

Reply
Solved! Jump to solution

splunk_force_as
Path Finder
‎06-06-2016 10:46 AM

What does |dbinspect index= return for these buckets? Splunk should eventually log an error message since there should be metadata associated with the deleted buckets, but you will have data gaps since the raw data is deleted.

0 Karma
Reply
Solved! Jump to solution

lycollicott
Motivator
‎06-06-2016 10:58 AM

I deleted bucket ids 32-34 and 37-39 and dbinspect only shows results for 35-36, so it is still unaware that anything is missing.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎06-06-2016 07:59 AM

Splunk will perform bucket fixups periodically and find the bucket no longer exists. At which time it will log a message or two or three and then remove the bucket from the manifest.

See index=_internal log_level=warn* OR log_level=err*. The events should occur in less than 24 hours after the manual removal. Searches will just have "holes" in the data if a searchable copy of the bucket doesnt exist.

0 Karma
Reply
Solved! Jump to solution

lycollicott
Motivator
‎06-06-2016 09:27 AM

That search was the first thing I checked, but it had nothing about these buckets.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎06-06-2016 09:31 AM

Probably has to with the log verbosity on BucketMover or something. I'd file a low priority ticket with support if you're THAT interested.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...