I am working on a script to thaw frozen buckets. Part of my script is to validate that the selected buckets are valid. We have an index cluster that currently just freeze to a shared path.
I run /opt/splunk/bin/splunk check-integrity -bucketPath /some/path/to/bucket
to validate the buckets.
I noticed that some of my buckets have a trailing digit at the end. They look like rb_12345678_12345678_1234_GUID-0
. There are others that run up to -3
When the check-integrity command runs it reports:
Constraints given leave no buckets to operate on
If I rename that bucket (in a different path) to remove the -0 I get a valid bucket response:
Total buckets checked=1, succeeded=1, failed=0
I do not see -0 directories in my warm or cold directories.
I'm guessing that since we are freezing to a shared path that Splunk is appending a -digit to the end of the frozen bucket name as not to overwrite something that is already there. This would make me believe that I could ignore the -# buckets IF I have a corresponding bucket that does not have the extra -#. I would also want to eventually purge the extra buckets. If I'm missing a normally named bucket should I move to rename one -# bucket to make it a "real" bucket?