Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error while searching and other error in the notification message?

pacifikn
Communicator
‎01-16-2022 07:56 AM

Dear Team,

 

Greetings!!

 

I need your help and guidance on the following issue , i keep getting this error in the notifications message:

 

Search peer Splunk-idx4 has the following message: The minimum dree disk space (5000MB)
reached for opt/splunk/var/run/splunk/dispatch.


Problem replicating config (bundle) to search peer '10.10.5.106:8089' , HTTP response code 500
(HTTP/1.1 500 Error writing to /opt/splunk/var/run/searchpeers/Splunksh01-1642302054.bundle.53d7c4e2bfaedd1d.tmp:
NO space left on device).
Error writing to /opt/splunk/var/run/searchpeers/Splunksh01-1642302054.bundle.fbc779696ccbf76a.tmp:
No space left on the device (unknown write error)

Even on the search and reporting when i run a query, it gives this error, 

2 error occurred while the search was executing. Therefore, search results might be incomplete. Hide errors

. [Splunk id-03] Failed to read size=3307 event(s) from raw data in bucket='nsoc_fw_ahnlab~703~B239BEEE-90FA-43C8-ADDA-620D3FACAB66' path ='/opt/splunk_data/indexes/nsoc_fw_ahnlab/db/hot_v1_703. Rawdata may be corrupt, see seach log. Results may be incomplete!

. [Splunk id-03] Failed to read size=5030 event(s) from raw data in bucket='nsoc_fw_ahnlab~703~B239BEEE-90FA-43C8-ADDA-620D3FACAB66' path ='/opt/splunk_data/indexes/nsoc_fw_ahnlab/db/hot_v1_703. Rawdata may be corrupt, see seach log. Results may be incomplete!

 

Kindly help me and guide me on how to fix the above issue.

 

Thank you in advance!

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-16-2022 09:20 AM

You have what appear to be two different problems.

The first problem is a lack of available disk space on indexer Splunk-idx4.  Check /opt/splunk/var/run/searchpeers for old bundle files and delete them to free up some space.

Consider adding more space to the volume.  If it isn't already, make the storage for /opt/splunk distinct from other volumes, especially root.

The second problem is possible corrupt index buckets.  See the search logs mentioned in the notifications for details.  You'll probably need to run Splunk's fsck utility to find and repair the problem.

---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...