Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fix BTree unexpected offset 0 while on order 1?

yuanliu
SplunkTrust
SplunkTrust
‎06-28-2024 05:36 PM

I'm getting these failures after a prior disk corruption.

ERROR TailReader [1876879 tailreader0] - Ignoring path="/somepath/somefile" due to: BTree::Exception: unexpected resulting offset 0 while on order 1, starting from offset 2056 node offset: 53209432 order: 255 keys: {  } children: { 0 }

I thought I had ejected buckets affected by the corruption; in addition, recent ingestions all go into buckets created after the corruption.

What can I do to fix this?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎06-30-2024 12:15 AM

If you had bucket problems, the error would come from another component 🙂

Normally with stale fishbucket entries and similar problems you'd simply remove a particular entry from the fishbucket but in this case it looks that the fishbucket database itself is damaged so you probably need to remove whole fishbucket - stop splunkd, remove var/lib/splunk/fishbucket, start splunkd

You might want to fiddle with the db first. If I remember correctly (but I wouldn't bet any money on it), it's a berkeleydb so it might be possible to repair it.

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎06-29-2024 10:15 PM

Indeed this error is related to ingestion failure.  I just thought the BTree problem is inside the buckets.  To clean up, do I just delete everything in fishbucket?  Reingestion is not a problem, but I do not want to cause other behavior changes.

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎06-30-2024 12:15 AM

If you had bucket problems, the error would come from another component 🙂

Normally with stale fishbucket entries and similar problems you'd simply remove a particular entry from the fishbucket but in this case it looks that the fishbucket database itself is damaged so you probably need to remove whole fishbucket - stop splunkd, remove var/lib/splunk/fishbucket, start splunkd

You might want to fiddle with the db first. If I remember correctly (but I wouldn't bet any money on it), it's a berkeleydb so it might be possible to repair it.

Tags (1)
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-02-2024 04:26 PM

Removing databases in fishbucket restored order in my ingestions.  Thank you!

For the record, I preserved fishbucket/db/ which does not contain any BTree. (Had I known this, I could have done this while cleaning up disk corruption.  There should be no assumption that fishbucket escaped corruption.)

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎06-29-2024 12:50 PM

This is a tailreader message so it should be about ingestion, not indexed data.

You might need to clean fishbucket (of course it will reingest all monitor inputs).

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...