Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After upgrading Splunk to 6.5.x, why is my indexer reporting "Unable to get size on disk for bucket id=..." in splunkd.log?

sbrice
Explorer
‎12-06-2016 01:26 PM

I have two indexers, a search head, and universal forwarders. Post 6.5 upgrade, I am seeing a ton of these messages on my indexer splunkd.log

INFO  DatabaseDirectoryManager - Getting size on disk: Unable to get size on disk for bucket id=os~158~812F771A-35F3-4538-833D-F47FB7CB17E5 path="/splunk-indexes/default/os/colddb/db_1440115485_1440004578_158" (This is usually harmless as we may be racing with a rename in BucketMover or the S2SFileReceiver thread, which should be obvious in log file; the previous WARN message about this path can safely be ignored.) caller=getCumulativeSizeForPaths
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎12-06-2016 04:25 PM

Hi sbrice,

Looks like index=os (aka *Nix app) buckets rolling to frozen/archive, while being scanned for size, perhaps? What does your default index have set for data retention?

the latest time in epoch in your bucketId is sometime mid august 2015.

You can use | dbinspect to investigate the bucket lifecycle, or navigate to your colddb to verify that the bucket no longer exists...searching your logs for the bucketId should tell you the story.

Being it is an info log, a quick grep for any ERROR or WARN in splunkd.log should ensure you see any items of concern.

- MattyMo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎12-06-2016 04:25 PM

Hi sbrice,

Looks like index=os (aka *Nix app) buckets rolling to frozen/archive, while being scanned for size, perhaps? What does your default index have set for data retention?

the latest time in epoch in your bucketId is sometime mid august 2015.

You can use | dbinspect to investigate the bucket lifecycle, or navigate to your colddb to verify that the bucket no longer exists...searching your logs for the bucketId should tell you the story.

Being it is an info log, a quick grep for any ERROR or WARN in splunkd.log should ensure you see any items of concern.

- MattyMo
0 Karma
Reply
Solved! Jump to solution

sbrice
Explorer
‎12-09-2016 10:24 AM

Thank you! made the changes to frozen/archive policy, restarted the indexer and logs have cleared up.

0 Karma
Reply
Solved! Jump to solution

slebbie_splunk
Splunk Employee
Splunk Employee
‎02-06-2017 04:08 PM

@sbrice can you elaborate on the changes you made?

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...