Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

BucketMover - aborting move because failed to rename src to dest failed (reason='Directory not empty')

arrangineni
Path Finder
‎02-12-2020 09:22 AM

Trying to send the frozen buckets to a ECS Windows shared drive using CIFS mounted on Splunk Linux indexer. Permissions to Splunk service account on frozen is having full level modify access. Is there anything else we can troubleshooting for the below errors?

Looks like Splunk trying to rename the inflight folders on mount after copying and failing to do so. Buckets are getting copied to frozen location naming with inflight-db-*** which keeps retrying every few seconds

ERROR BucketMover - aborting move because failed to rename src='/data/frozen/index/name/inflight-db__** to dst='/data/frozen/index/name//db_**' (reason='Directory not empty')
ERROR BucketMover - aborting move because could not remove existing='/data/frozen/index/name/inflight-db__** (reason='Directory not empty')

0 Karma
Reply

nickhills
Ultra Champion
‎02-12-2020 09:46 AM

Considerations regarding Common Internet File System (CIFS)/Server Message Block (SMB)
Splunk Enterprise supports the use of the CIFS/SMB protocol for the following purposes, on shares hosted by Windows hosts only:

Storage of cold or frozen Index buckets.
When you use a CIFS resource for storage, confirm that the resource has write permissions for the user that connects to the resource at both the file and share levels. If you use a third-party storage device, confirm that its implementation of CIFS is compatible with the implementation that your Splunk Enterprise instance runs as a client.

Do not index data to a mapped network drive on Windows (for example "Y:\" mapped to an external share.) Splunk Enterprise disables any index it encounters with a non-physical drive letter.

https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#Considerations_r...

The key point to note is this: confirm that the resource has write permissions for the user that connects to the resource at both the file and share levels.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...