Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk-optimize Warning ...

MikeyG
Explorer
‎04-07-2010 12:47 PM

Can't find a reference to the following error. What does it mean and how do I fix it?

Indexing Significant Warns:

WARN timeinvertedIndex - splunk-optimize failed to start for index /opt/splunk/var/lib/splunk/defaultdb/db/hot_quar_v1_17

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-07-2010 02:33 PM

There is nothing to fix if it's rare. It just means that Splunk was busy at the time it would otherwise have run an optimization on the indexed data. Optimization runs frequently to improve the way data is stored in the index as new data gets added.

If the warning occurs regularly, it is a sign that your system is overloaded. If the warning occurs more often than every few minutes, your indexed data may not be well optimized which will lead to slower searches over that data.

View solution in original post

Reply
Solved! Jump to solution

tpaulsen
Contributor
‎05-11-2010 12:40 PM

The splunk-optimize process can´t run on that subdirectory, since it doesn´t exist. Even if i create it manually, splunk-optimize won´t notice, except by creating another error:

05-11-2010 13:10:40.476 ERROR databasePartitionPolicy - Index is empty refusing to move. oldDirPath=/opt/splunk/splunk/var/lib/splunk/fishbucket/db/db-hot

The other message is still there:

05-11-2010 14:33:52.045 WARN  timeinvertedIndex - splunk-optimize failed to start for index /opt/splunk/var/lib/splunk/fishbucket/db/db-hot
0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-07-2010 02:33 PM

There is nothing to fix if it's rare. It just means that Splunk was busy at the time it would otherwise have run an optimization on the indexed data. Optimization runs frequently to improve the way data is stored in the index as new data gets added.

If the warning occurs regularly, it is a sign that your system is overloaded. If the warning occurs more often than every few minutes, your indexed data may not be well optimized which will lead to slower searches over that data.

Reply
Solved! Jump to solution

Mick
Splunk Employee
Splunk Employee
‎04-07-2010 12:47 PM

Sporadic failures are to be expected, as there are times when Splunk will be indexing heavily to a particular hot DB, and it won't always be the optimal time for splunk-optimize to run on that particular bucket.

If it's a consistent failure however, and splunk-optimize has never been able to run on that bucket, that may indicate a more serious problem with the data inside the bucket - a possible data corruption for example.

If it's a consistent message, you should file a case with the Splunk Support team and they will work with you to determine the root cause - http://www.splunk.com/page/submit_issue

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎04-07-2010 12:47 PM

If it's expected, why is it a failure?
What does it mean that it isn't an optimal time, is this a locking issue?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk ITSI & Correlated Network Visibility

  Now On Demand   Take Your Network Visibility to the Next Level In today’s complex IT environments, ...
Top