I'm continuously experiencing several error messages in splunkd.log such as:
ERROR BucketMover - Unable to parse bucket ID from path="..."
In this forum I only found previous solutions saying like "This issue has been fixed in version 6.x" - but I'm currently on 7.2.0
I'd suggest upgrading to the latest 7.2 which is 7.2.7 right now. Don't just do .0 releases.
Do you have other Error log messages around that time when it happens?
I found that these BucketMover ERROR records are followed by a INFO message saying:
INFO BucketMover - AsyncFreezer freeze succeedded for bkt='...'
So, without knowing any internals, I'd guess that the AsyncFreezer has successfully fixed the affected bucket and everything's ok.
Guess I forgot to add that. Yea, seems like a bug which might be gone after doing an upgrade. 🙂
You have omitted the bucket path in your question. It'll help to know that which buckets (hot, warm Or cold) are getting impacted.
You might want to check for permissions of Splunk on the storage locations (However if in the first place splunk was able to write there, I'm least expecting to find this to be the cause but no harm cross checking).
And yes, about retention - If your buckets keep failing to roll, you might start experiencing the performance problems and eventually the disk usage.
Ques - Are you working with a idx cluster Or a standalone box ? You might want to check which instances are throwing these errors if you are working with a cluster.
Let me know. Thanks
Thanks for giving me some directions.
Well, it's a idx cluster, Splunk version 7.2.0 as said, and the messages are seen on all cluster members.
Actually the error seems to me related to data model acceleration, since all path="..." names have in common:
Please provide the full error message. Earlier you didnt mention anything about the DataModel in your error
I'd suggest to mark the answer if this problem is getting auto fixed. So its easier for others to follow up on the correct thread. Thanks
Thanks to Skalli's comment I was able to find a INFO message corresponding to each ERROR, saying that the bucket issue has somehow been resolved by "AsyncFreezer". I should have noticed this immediately, sorry.
Thus I'd prefer to take these errors easy and see whether they will disappear at the next upgrade.
Good to know, thanks for the feedback. Sometimes there are errors that shouldn't be displayed as errors. 🙂