Getting Data In

Why am I getting "ERROR S2SFileReceiver - event=statSize replicationType=eJournalReplication...status=failed" in my indexer cluster?

sympatiko
Communicator

Hi,

I'm getting the following error on my indexers' splunkd.log. I have a RF=3 and SF=3 indexer clustering with 1 master and 1 search head.

ERROR S2SFileReceiver - event=statSize replicationType=eJournalReplication bid=test~26~89C0FF94-5EB0-410A-9B4D-0E17DBD7FB78 path=/opt/splunk/var/lib/splunk/test/db/26_89C0FF94-5EB0-410A-9B4D-0E17DBD7FB78/rawdata/journal.gz status=failed

Any thoughts?

Thanks,

0 Karma

Prakhar_shukla
Path Finder

it is most likely happening because of corrupted buckets, you can see them in cluster master webpage as well. to fix the issue you need to remove them. please see how to remove bucket in this post

https://answers.splunk.com/answers/184484/what-should-i-do-with-bad-buckets-in-a-clustered-e.html?so...

0 Karma

lguinn2
Legend

My first thought: Splunk appears to be having difficulty replicating raw data between indexers.
Did clustering ever work, or is this a new setup?
Does this message appear on all indexers?
Is disk space available on all indexers?
Do you have constraints on index size or volume size?
Is the network connection between indexers good?
Is the replication port open between all indexers?
Is the replication port used ONLY for replication (it's not the splunkd port or the receiving port)?
Are all indexers configured identically?
How many indexers are in the cluster?

0 Karma

sympatiko
Communicator

Did clustering ever work, or is this a new setup?
It is a working cluster environment. I've just experienced it I think thrice.

Does this message appear on all indexers?
No.

Is disk space available on all indexers?
Yes

Do you have constraints on index size or volume size?
None

Is the network connection between indexers good?
Yes

Is the replication port open between all indexers?
Yes

Is the replication port used ONLY for replication (it's not the splunkd port or the receiving port)?
Yes for replication only.

Are all indexers configured identically?
Yes

How many indexers are in the cluster?
There are 3 indexers in the cluster with same configuration.

0 Karma

mwdbhyat
Builder

Did you ever figure out what this was ?

0 Karma

vasanthmss
Motivator

@sympatiko: do you found the root cause?

V
0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...