Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why Splunk Web UI shows "Check space and other issues that may cause indexer to block" and "Rawdata may be corrupted"?

Bizfinx_sysmon
New Member
‎09-08-2014 03:10 AM

Dear Support,

I have 2 messages on the Splunk web interface:
"skipped indexing of internal audit events will keep dropping events until indexer congestion is remedied. Check space and other issues that may caused indexer to block"
"Error in 'databasePartitionPolicy': Failure to read 1 event(s) from rawdata in bucket'_internal-1679-C10009BFA-1DE1-1A491-8895-E35E6F221168'. Rawdata maybe corrupted, see search.logs

I have tried to search under the following directory:
/opt/splunk/var/run/splunk/
where there are lots of directory with search.log.

I have tried to look at some of them and it seems to be ok.

Can someone from support advise on the above?

0 Karma
Reply

grijhwani
Motivator
‎09-08-2014 06:53 AM

Without looking at your specific setup, and/or having sight of specific error messages in the log, what you have told us above is suggestive of one of three things:

  1. Your index disk is full (although experience teaches me to expect a different message)
  2. Your index disk is experiencing errors which could be slowing throughput because of read/write retries (although again, if it is persistent I would expect a more explanatory error)
  3. Your indexer is quite simply over-taxed (through memory exhaustion and excessive page swapping, or CPU exhaustion) or has reached the bandwidth cap you have set (or that it has defaulted to)

I'd be inclined to look for a system problem to begin with.

0 Karma
Reply

Bizfinx_sysmon
New Member
‎09-08-2014 11:40 PM

Hi grijhwani,

Thanks for the update. FYI, I do not have such message anymore.

But I have a bigger issue now. I'm now not able to view my past data..
But I have check that the data seems to be there but Splunk is not able to link it back.

Can someone help?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...