Deployment Architecture

How you do create the merged_lexicon.lex after a bucket restore?

Lowell
Super Champion

How do you force the creation of the merged_lexicon.lex for a bucket that was manually restored? (And is this possible to do for buckets created by Splunk 3.x)?

Background info: I had some buckets with very bad date ranges--a few single buckets with hundreds or thousands of days. (This problem was mostly my own fault from back in the Splunk 3.4.x days.) So I wrote a couple of small script to rebuild those my buckets into more reasonable time slices. But the buckets created with importtool don't have the merged_lexicon.lex file, which I would like to create.

Tags (2)
0 Karma
2 Solutions

Ledion_Bitincka
Splunk Employee
Splunk Employee
splunk-optimize-lex -d <bucket-dir>

View solution in original post

0 Karma

Lowell
Super Champion

touch <bucket-dir>/optimize.result

splunk-optimize-lex -d <bucket-dir>

Anyone know if this is a bug, or if optimize.result should be created by some other process before splunk-optimize-lex should be run?

View solution in original post

Lowell
Super Champion

touch <bucket-dir>/optimize.result

splunk-optimize-lex -d <bucket-dir>

Anyone know if this is a bug, or if optimize.result should be created by some other process before splunk-optimize-lex should be run?

Ledion_Bitincka
Splunk Employee
Splunk Employee

when a bucket is moved from hot to warm splunk runs a splunk-optimize which generates the optimize.result file followed by splunk-optimize-lex. The reason splunk-optimize-lex waits for a optimize.result is that it can only operate on optimized buckets.

Ledion_Bitincka
Splunk Employee
Splunk Employee
splunk-optimize-lex -d <bucket-dir>
0 Karma

Lowell
Super Champion

That's what I thought, but it never seemed to work for me. But I think I found the problem. It appears that splunk-optimize-lex waits for optimize.result to exist first.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...