I'm doing research on Splunk. I don't have direct access the product. I saw in a Splunk-provided presentation that "a bad bucket result returns the bucket number and slice number for a changed slice/bucket". Is this true? Here's the presentation:
Yes it does tell you which slice is wrong with this kind of message:
Integrity check failed for bucket with path=/opt/splunk/XXXXXXXX/index/db/rb_1480438183_1478748435_95_D6AXXXXXXXXX, Reason=Hash of journal slice# 45718 did not match the expected value in l1Hashes_95_D6AXXXXXXXXX.dat
I haven't yet tried to understand which event inside the bucket is wrong based on the slice number and the slices size.
In our case we have an indexer cluster, when this message pops we replace the bucket (in this exemple a replicated bucket) with its copy available on another cluster node.