Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

BucketMover - aborting move because failed to rename src to dest failed (reason='Directory not empty')

arrangineni
Path Finder
‎02-12-2020 09:22 AM

Trying to send the frozen buckets to a ECS Windows shared drive using CIFS mounted on Splunk Linux indexer. Permissions to Splunk service account on frozen is having full level modify access. Is there anything else we can troubleshooting for the below errors?

Looks like Splunk trying to rename the inflight folders on mount after copying and failing to do so. Buckets are getting copied to frozen location naming with inflight-db-*** which keeps retrying every few seconds

ERROR BucketMover - aborting move because failed to rename src='/data/frozen/index/name/inflight-db__** to dst='/data/frozen/index/name//db_**' (reason='Directory not empty')
ERROR BucketMover - aborting move because could not remove existing='/data/frozen/index/name/inflight-db__** (reason='Directory not empty')

0 Karma
Reply

nickhills
Ultra Champion
‎02-12-2020 09:46 AM

Considerations regarding Common Internet File System (CIFS)/Server Message Block (SMB)
Splunk Enterprise supports the use of the CIFS/SMB protocol for the following purposes, on shares hosted by Windows hosts only:

Storage of cold or frozen Index buckets.
When you use a CIFS resource for storage, confirm that the resource has write permissions for the user that connects to the resource at both the file and share levels. If you use a third-party storage device, confirm that its implementation of CIFS is compatible with the implementation that your Splunk Enterprise instance runs as a client.

Do not index data to a mapped network drive on Windows (for example "Y:\" mapped to an external share.) Splunk Enterprise disables any index it encounters with a non-physical drive letter.

https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#Considerations_r...

The key point to note is this: confirm that the resource has write permissions for the user that connects to the resource at both the file and share levels.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...