Solved: Re: Concerns about continuously receiving several ...

bkatzlin · ‎06-27-2019

Hello,

I'm continuously experiencing several error messages in splunkd.log such as:

ERROR BucketMover - Unable to parse bucket ID from path="..."

In this forum I only found previous solutions saying like "This issue has been fixed in version 6.x" - but I'm currently on 7.2.0

Should I be concerned about these messages?
Would this error affect my data retention?
And finally - how could the issue be fixed?

Regards,
Bernd

bkatzlin · ‎07-03-2019

Thanks to Skalli's comment I was able to find a INFO message corresponding to each ERROR, saying that the bucket issue has somehow been resolved by "AsyncFreezer". I should have noticed this immediately, sorry.
Thus I'd prefer to take these errors easy and see whether they will disappear at the next upgrade.
Thanks!

View solution in original post

bkatzlin · ‎07-03-2019

Thanks to Skalli's comment I was able to find a INFO message corresponding to each ERROR, saying that the bucket issue has somehow been resolved by "AsyncFreezer". I should have noticed this immediately, sorry.
Thus I'd prefer to take these errors easy and see whether they will disappear at the next upgrade.
Thanks!

skalliger · ‎07-03-2019

Good to know, thanks for the feedback. Sometimes there are errors that shouldn't be displayed as errors. 🙂

Skalli

amitm05 · ‎07-02-2019

I'd suggest to mark the answer if this problem is getting auto fixed. So its easier for others to follow up on the correct thread. Thanks

amitm05 · ‎06-28-2019

@bkatzlin
You have omitted the bucket path in your question. It'll help to know that which buckets (hot, warm Or cold) are getting impacted.
You might want to check for permissions of Splunk on the storage locations (However if in the first place splunk was able to write there, I'm least expecting to find this to be the cause but no harm cross checking).

And yes, about retention - If your buckets keep failing to roll, you might start experiencing the performance problems and eventually the disk usage.

Ques - Are you working with a idx cluster Or a standalone box ? You might want to check which instances are throwing these errors if you are working with a cluster.

Let me know. Thanks

bkatzlin · ‎06-28-2019

Thanks for giving me some directions.
Well, it's a idx cluster, Splunk version 7.2.0 as said, and the messages are seen on all cluster members.
Actually the error seems to me related to data model acceleration, since all path="..." names have in common:

.../<index_name>/datamodel_summary/.../DM_Splunk_SA_CIM_Web

Any ideas?

amitm05 · ‎07-01-2019

Please provide the full error message. Earlier you didnt mention anything about the DataModel in your error

skalliger · ‎06-27-2019

I'd suggest upgrading to the latest 7.2 which is 7.2.7 right now. Don't just do .0 releases.
Do you have other Error log messages around that time when it happens?

Skalli

bkatzlin · ‎07-01-2019

I found that these BucketMover ERROR records are followed by a INFO message saying:
INFO BucketMover - AsyncFreezer freeze succeedded for bkt='...'
So, without knowing any internals, I'd guess that the AsyncFreezer has successfully fixed the affected bucket and everything's ok.

skalliger · ‎07-01-2019

Guess I forgot to add that. Yea, seems like a bug which might be gone after doing an upgrade. 🙂

Skalli

Concerns about continuously receiving several error messages in splunkd.log

error

splunkd

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)