Deployment Architecture

Health indicator red: Index Processor -> Buckets - Maybe "Failed to remove summary of" ... ? but files are not present

bdraeger
Engager

Hi everyone,

I have a problem with an Indexer. Inside the Health Indicator (the small icon beside the username) the "Health Status of Splunkd" indicates a severe Error: "Index Processor -> Buckets".
The HealthIndicator itself doesn't provide any other help or information.
Neither the ManagementConsole, nor the Masternode does know something about this issue. Everything there is "green".

The only thing I found in the _internal regarding the problematic host(Indexer) was:
01-28-2019 xx:xx:34.770 +0100 ERROR DatabaseDirectoryManager - Failed to remove summary of bid=_internal~XXXX~XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX with cid="dma|_internal~XXXX~XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX|XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX_XX_Splunk_XX_XXX_XXXXXXXX.YYYYYYYYY" from summary manager, skipping remove.

The permissions in the folders (on the linux machine allow deleting)

total 208
drwx--x--- 3 splunk splunk 8192 Dec 7 2017 .
drwx------ 271 splunk splunk 135168 Jan 28 11:00 ..
-rw------- 1 splunk splunk 31827 Dec 7 2017 XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXXXXXXXXXXX.tsidx
-rw------- 1 splunk splunk 1183 Dec 7 2017 bloomfilter
-rw------- 1 splunk splunk 75 Dec 7 2017 bucket_info.csv
-rw------- 1 splunk splunk 99 Dec 7 2017 Hosts.data
-rw------- 1 splunk splunk 0 Dec 7 2017 optimize.result
drwx------ 2 splunk splunk 4096 Dec 7 2017 rawdata
-rw------- 1 splunk splunk 6 Dec 7 2017 .rawSize
-rw------- 1 splunk splunk 5 Dec 7 2017 .sizeManifest4.1
-rw------- 1 splunk splunk 101 Dec 7 2017 Sources.data
-rw------- 1 splunk splunk 105 Dec 7 2017 SourceTypes.data
-rw------- 1 splunk splunk 254 Dec 7 2017 Strings.data

Could the log entry belong to the issue? How can I clean/repair up the summary? The files aren't present any more. So of cause the files can't be deleted
Thanks for your reply.

dm1
Contributor

were you able to fix this issue ?

0 Karma
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...