Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After upgrading Splunk to 6.5.x, why is my indexer reporting "Unable to get size on disk for bucket id=..." in splunkd.log?

sbrice
Explorer
‎12-06-2016 01:26 PM

I have two indexers, a search head, and universal forwarders. Post 6.5 upgrade, I am seeing a ton of these messages on my indexer splunkd.log

INFO  DatabaseDirectoryManager - Getting size on disk: Unable to get size on disk for bucket id=os~158~812F771A-35F3-4538-833D-F47FB7CB17E5 path="/splunk-indexes/default/os/colddb/db_1440115485_1440004578_158" (This is usually harmless as we may be racing with a rename in BucketMover or the S2SFileReceiver thread, which should be obvious in log file; the previous WARN message about this path can safely be ignored.) caller=getCumulativeSizeForPaths
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎12-06-2016 04:25 PM

Hi sbrice,

Looks like index=os (aka *Nix app) buckets rolling to frozen/archive, while being scanned for size, perhaps? What does your default index have set for data retention?

the latest time in epoch in your bucketId is sometime mid august 2015.

You can use | dbinspect to investigate the bucket lifecycle, or navigate to your colddb to verify that the bucket no longer exists...searching your logs for the bucketId should tell you the story.

Being it is an info log, a quick grep for any ERROR or WARN in splunkd.log should ensure you see any items of concern.

- MattyMo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎12-06-2016 04:25 PM

Hi sbrice,

Looks like index=os (aka *Nix app) buckets rolling to frozen/archive, while being scanned for size, perhaps? What does your default index have set for data retention?

the latest time in epoch in your bucketId is sometime mid august 2015.

You can use | dbinspect to investigate the bucket lifecycle, or navigate to your colddb to verify that the bucket no longer exists...searching your logs for the bucketId should tell you the story.

Being it is an info log, a quick grep for any ERROR or WARN in splunkd.log should ensure you see any items of concern.

- MattyMo
0 Karma
Reply
Solved! Jump to solution

sbrice
Explorer
‎12-09-2016 10:24 AM

Thank you! made the changes to frozen/archive policy, restarted the indexer and logs have cleared up.

0 Karma
Reply
Solved! Jump to solution

slebbie_splunk
Splunk Employee
Splunk Employee
‎02-06-2017 04:08 PM

@sbrice can you elaborate on the changes you made?

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...