Deployment Architecture

What are the id_XX buckets that show up under "index activity"

Chris_R_
Splunk Employee
Splunk Employee

What are the id_XX buckets that show up under "index activity", They also show up in the bucket directories. What do these represent?

Tags (2)
0 Karma
1 Solution

Chris_R_
Splunk Employee
Splunk Employee

Just to update this answer, looks like rebuilding the meta data and bucket manifest removed any record of the buckets under "index activity" The actual buckets dont exist under the db directories anymore.

So performing these steps should clear them up

  1. In the /db directory, delete the file .bucketmanifest
  2. In the /db directory, create the file (0 bytes works) meta.dirty

View solution in original post

Chris_R_
Splunk Employee
Splunk Employee

Just to update this answer, looks like rebuilding the meta data and bucket manifest removed any record of the buckets under "index activity" The actual buckets dont exist under the db directories anymore.

So performing these steps should clear them up

  1. In the /db directory, delete the file .bucketmanifest
  2. In the /db directory, create the file (0 bytes works) meta.dirty

Vishal_Patel
Splunk Employee
Splunk Employee

Interesting, this means the buckets were moved from underneath splunk, or splunk lost track of them somehow

At the time you see those id_xyz buckets in via |dbinspect, check to see if the bucket/s with id 'xyz' actually even exist within splunk?

0 Karma

Chris_R_
Splunk Employee
Splunk Employee

looks like a lot of log activity with increasing bucket ID's

Here's a sample
splunkd.log.2:04-27-2010 08:48:27.761 ERROR DatabaseInspectCommand - Unable to find a directory for bucket id 5538
splunkd.log.2:04-27-2010 08:48:27.761 ERROR DatabaseInspectCommand - Unable to find a directory for bucket id 5539
splunkd.log.2:04-27-2010 08:48:27.761 ERROR DatabaseInspectCommand - Unable to find a directory for bucket id 5540
splunkd.log.2:04-27-2010 08:48:27.761 ERROR DatabaseInspectCommand - Unable to find a directory for bucket id 5541
splunkd.log.2:04-27-2010 08:48:27.761 ERROR DatabaseInspectCommand - Unable to find a directory for bucket id 5542
splunkd.log.2:04-27-2010 08:48:27.761 ERROR DatabaseInspectCommand - Unable to find a directory for bucket id 5543
splunkd.log.2:04-27-2010 08:48:27.761 ERROR DatabaseInspectCommand - Unable to find a directory for bucket id 5544
splunkd.log.2:04-27-2010 08:48:27.761 ERROR DatabaseInspectCommand - Unable to find a directory for bucket id 5545 splunkd.log.2:04-27-2010 08:48:27.761 ERROR DatabaseInspectCommand - Unable to find a directory for bucket id 5546
splunkd.log.2:04-27-2010 08:48:27.761 ERROR DatabaseInspectCommand - Unable to find a directory for bucket id 5547
splunkd.log.2:04-27-2010 08:48:27.761 ERROR DatabaseInspectCommand - Unable to find a directory for bucket id 5548

One other entry too
- Unable to run timechart with span = 1y because Error in 'makecontinuous' command: Invalid value for option span: '1y'

0 Karma

Vishal_Patel
Splunk Employee
Splunk Employee

It means we couldn't figure out whether the bucket in question was a hot/warm or cold bucket. I'd be interested to see the output of when you repro this:

% grep DatabaseInspectCommand $SPLUNK_HOME/var/log/splunk/splunkd.log | grep ERROR

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...