Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Concerns about continuously receiving several error messages in splunkd.log

bkatzlin
Explorer
‎06-27-2019 06:56 AM

Hello,

I'm continuously experiencing several error messages in splunkd.log such as:

ERROR BucketMover - Unable to parse bucket ID from path="..."

In this forum I only found previous solutions saying like "This issue has been fixed in version 6.x" - but I'm currently on 7.2.0

  1. Should I be concerned about these messages?
  2. Would this error affect my data retention?
  3. And finally - how could the issue be fixed?

Regards,
Bernd

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bkatzlin
Explorer
‎07-03-2019 02:52 AM

Thanks to Skalli's comment I was able to find a INFO message corresponding to each ERROR, saying that the bucket issue has somehow been resolved by "AsyncFreezer". I should have noticed this immediately, sorry.
Thus I'd prefer to take these errors easy and see whether they will disappear at the next upgrade.
Thanks!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bkatzlin
Explorer
‎07-03-2019 02:52 AM

Thanks to Skalli's comment I was able to find a INFO message corresponding to each ERROR, saying that the bucket issue has somehow been resolved by "AsyncFreezer". I should have noticed this immediately, sorry.
Thus I'd prefer to take these errors easy and see whether they will disappear at the next upgrade.
Thanks!

0 Karma
Reply
Solved! Jump to solution

skalliger
Motivator
‎07-03-2019 04:40 AM

Good to know, thanks for the feedback. Sometimes there are errors that shouldn't be displayed as errors. 🙂

Skalli

0 Karma
Reply
Solved! Jump to solution

amitm05
Builder
‎07-02-2019 11:12 PM

I'd suggest to mark the answer if this problem is getting auto fixed. So its easier for others to follow up on the correct thread. Thanks

0 Karma
Reply
Solved! Jump to solution

amitm05
Builder
‎06-28-2019 01:27 AM

@bkatzlin
You have omitted the bucket path in your question. It'll help to know that which buckets (hot, warm Or cold) are getting impacted.
You might want to check for permissions of Splunk on the storage locations (However if in the first place splunk was able to write there, I'm least expecting to find this to be the cause but no harm cross checking).

And yes, about retention - If your buckets keep failing to roll, you might start experiencing the performance problems and eventually the disk usage.

Ques - Are you working with a idx cluster Or a standalone box ? You might want to check which instances are throwing these errors if you are working with a cluster.

Let me know. Thanks

0 Karma
Reply
Solved! Jump to solution

bkatzlin
Explorer
‎06-28-2019 05:36 AM

Thanks for giving me some directions.
Well, it's a idx cluster, Splunk version 7.2.0 as said, and the messages are seen on all cluster members.
Actually the error seems to me related to data model acceleration, since all path="..." names have in common:

.../<index_name>/datamodel_summary/.../DM_Splunk_SA_CIM_Web

Any ideas?

0 Karma
Reply
Solved! Jump to solution

amitm05
Builder
‎07-01-2019 07:46 AM

Please provide the full error message. Earlier you didnt mention anything about the DataModel in your error

0 Karma
Reply
Solved! Jump to solution

skalliger
Motivator
‎06-27-2019 11:28 AM

I'd suggest upgrading to the latest 7.2 which is 7.2.7 right now. Don't just do .0 releases.
Do you have other Error log messages around that time when it happens?

Skalli

Reply
Solved! Jump to solution

bkatzlin
Explorer
‎07-01-2019 07:11 AM

I found that these BucketMover ERROR records are followed by a INFO message saying:
INFO BucketMover - AsyncFreezer freeze succeedded for bkt='...'
So, without knowing any internals, I'd guess that the AsyncFreezer has successfully fixed the affected bucket and everything's ok.

0 Karma
Reply
Solved! Jump to solution

skalliger
Motivator
‎07-01-2019 07:36 AM

Guess I forgot to add that. Yea, seems like a bug which might be gone after doing an upgrade. 🙂

Skalli

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...