Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can we recover the empty bucket in the var/lib folder after a Splunk system crash?

tlam_splunk
Splunk Employee
Splunk Employee
‎10-30-2018 12:58 AM

After a Splunk crash, we are finding that there are a number of emptybucket-hot_v1_xxx in the /var/lib/... folder. Although we can find the new data coming and it can be searched, we are finding that some of the data is missing.

How could we recover the empty bucket ?

Reply

highsplunker
Contributor
‎10-06-2023 09:47 AM

Thanks a lot! It helped!

0 Karma
Reply

tlam_splunk
Splunk Employee
Splunk Employee
‎10-30-2018 01:02 AM

After the dirty shutdown, the bucket got corrupted and Splunk marked it for further investigation.

ls -laR emptybucket-hot_v1_xxx

Check that it has the journal.gz and necessary files...

Then do the following
1) Stop Splunk
2) make backup of that bucket
3) rename the bucket back to hot_v1_xxx
4) repair using fsck (and adding --include-hots) (save log output)
5) Start Splunk

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...