Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why does a cluster halt with - ERROR BucketReplicator - Could not find size of file.. ?

ddrillic
Ultra Champion
‎12-20-2017 07:21 AM

Our indexer cluster got all its queues filled up yesterday and no data got indexed for around 10 hours.

Support determined the root cause to be the issue reflected by this type of messages -

12-19-2017 05:59:43.776 -0600 ERROR BucketReplicator - Could not find size of file=/SplunkIndexData/splunk-indexes/<db name>/colddb/rb_1508261105_1508249969_824_EE604247-781F-45EF-B2C4-C966B93CE78C/rawdata/journal.gz for bid=<db name>~824~EE604247-781F-45EF-B2C4-C966B93CE78C. stat() failed. No such file or directory.

Using index=_internal "No such file or directory" | dedup file | table host we identified and then removed the broken buckets.

I just wonder what could have caused this issue and why the cluster would stop functioning with this type of issue.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mchang_splunk
Splunk Employee
Splunk Employee
‎12-20-2017 01:36 PM

It's mostly system outage or splunkd was killed while buckets was updated.
when you check the folder file=/SplunkIndexData/splunk-indexes//colddb/rb_1508261105_1508249969_824_EE604247-781F-45EF-B2C4-C966B93CE78C, subfolder rawdata disappeared.

Since the raw data was missing, the only solution is to remove the whole buckets to get replication process working.
If RF is larger than 2, you should have these buckets replicated from other cluster peers without data loss.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mchang_splunk
Splunk Employee
Splunk Employee
‎12-20-2017 01:36 PM

It's mostly system outage or splunkd was killed while buckets was updated.
when you check the folder file=/SplunkIndexData/splunk-indexes//colddb/rb_1508261105_1508249969_824_EE604247-781F-45EF-B2C4-C966B93CE78C, subfolder rawdata disappeared.

Since the raw data was missing, the only solution is to remove the whole buckets to get replication process working.
If RF is larger than 2, you should have these buckets replicated from other cluster peers without data loss.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎12-20-2017 01:51 PM

Much appreciated @mchang!

And my point is that the entire cluster is stalled due to some corrupt buckets.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...