Solved: rebuild the buckets after coping to thaweddb from ...

sathwikr076 · ‎08-06-2019

Hello,

we copied the buckets from frozendb to thaweddb and rebuild them. the data is searchable from that particular indexer UI which we made changes on but no searchable from the search heads. Please let me know if anyone have any idea about this. we are using 7.0.2 version.

Thanks.

sathwikr076 · ‎10-08-2019

This is bug in 7.0.2 version splunk,

SPL-161815 Thawed buckets in a cluster are sporadically unsearchable upon restart
https://docs.splunk.com/Documentation/Splunk/7.0.2/ReleaseNotes/KnownIssues

we had to move the frozen data to a standalone indexer which is not part of the cluster and rebulid the buckets and add the standalone indexer to our search head cluster to make the data searchable.

Thanks.

View solution in original post

sathwikr076 · ‎10-08-2019

This is bug in 7.0.2 version splunk,

SPL-161815 Thawed buckets in a cluster are sporadically unsearchable upon restart
https://docs.splunk.com/Documentation/Splunk/7.0.2/ReleaseNotes/KnownIssues

we had to move the frozen data to a standalone indexer which is not part of the cluster and rebulid the buckets and add the standalone indexer to our search head cluster to make the data searchable.

Thanks.

rebuild the buckets after coping to thaweddb from frozendb but not searchable

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?