Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After upgrading Splunk to 6.5.x, why is my indexer reporting "Unable to get size on disk for bucket id=..." in splunkd.log?

sbrice
Explorer
‎12-06-2016 01:26 PM

I have two indexers, a search head, and universal forwarders. Post 6.5 upgrade, I am seeing a ton of these messages on my indexer splunkd.log

INFO  DatabaseDirectoryManager - Getting size on disk: Unable to get size on disk for bucket id=os~158~812F771A-35F3-4538-833D-F47FB7CB17E5 path="/splunk-indexes/default/os/colddb/db_1440115485_1440004578_158" (This is usually harmless as we may be racing with a rename in BucketMover or the S2SFileReceiver thread, which should be obvious in log file; the previous WARN message about this path can safely be ignored.) caller=getCumulativeSizeForPaths
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎12-06-2016 04:25 PM

Hi sbrice,

Looks like index=os (aka *Nix app) buckets rolling to frozen/archive, while being scanned for size, perhaps? What does your default index have set for data retention?

the latest time in epoch in your bucketId is sometime mid august 2015.

You can use | dbinspect to investigate the bucket lifecycle, or navigate to your colddb to verify that the bucket no longer exists...searching your logs for the bucketId should tell you the story.

Being it is an info log, a quick grep for any ERROR or WARN in splunkd.log should ensure you see any items of concern.

- MattyMo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎12-06-2016 04:25 PM

Hi sbrice,

Looks like index=os (aka *Nix app) buckets rolling to frozen/archive, while being scanned for size, perhaps? What does your default index have set for data retention?

the latest time in epoch in your bucketId is sometime mid august 2015.

You can use | dbinspect to investigate the bucket lifecycle, or navigate to your colddb to verify that the bucket no longer exists...searching your logs for the bucketId should tell you the story.

Being it is an info log, a quick grep for any ERROR or WARN in splunkd.log should ensure you see any items of concern.

- MattyMo
0 Karma
Reply
Solved! Jump to solution

sbrice
Explorer
‎12-09-2016 10:24 AM

Thank you! made the changes to frozen/archive policy, restarted the indexer and logs have cleared up.

0 Karma
Reply
Solved! Jump to solution

slebbie_splunk
Splunk Employee
Splunk Employee
‎02-06-2017 04:08 PM

@sbrice can you elaborate on the changes you made?

Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...

Insights from .conf 2025, Smart Edge Processor Scaling, and a New Splunk Lantern ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...