Indexer Cluster: Why am I seeing "event=replicatio...

vaianna · ‎10-02-2015

Hi,

I have a Splunk indexer cluster with these parameters:
1 Master node
1 Search Head node
2 Indexers
2 Forwarders
RF = 2, SF = 2, both don't respected

For several days, and in this moment, with a real-time search on _internal index, I see on the first Indexer many sequences of these type of errors. The other indexer doesn't have the same problem.

ERROR TcpInputProc - event=replicationData status=failed err=
ERROR S2SFileReceiver - event=rename replicationType=eJournalReplication  status=failed err=Rename failed in 1 attempt(s) made between  status code: 17

Which can be the cause of this behavior?

Thanks,

Prakhar_shukla · ‎04-10-2017

it is most likely happening because of corrupted buckets, you can see them in cluster master webpage as well. to fix the issue you need to remove them. please see how to remove bucket in this post

https://answers.splunk.com/answers/184484/what-should-i-do-with-bad-buckets-in-a-clustered-e.html?so...

vasanthmss · ‎04-19-2016

@Vaianna: Check this post https://answers.splunk.com/answers/295363/why-am-i-getting-error-s2sfilereceiver-eventstatsi.html

There are few of the checklist available to validate. If you have found the root cause share it..

V

Indexer Cluster: Why am I seeing "event=replicationData... event=rename replicationType=eJournalReplication status=failed" errors on one indexer?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation