Getting this error - then Splunkd crashes..

edenzler · ‎08-01-2013

Error in 'databasePartitionPolicy': Failed to read 1 event(s) from rawdata in bucket '_internal~235~8AD95516-6DE5-4CCF-82AA-19FD5902414E'. Rawdata may be corrupt, see search.log

I poked around here, just want to be sure that whatever I do doesn't destroy my instance.

Any direction/suggestions would be greatly appreciated.

Cheers,

lukejadamec · ‎08-01-2013

It looks like you have a corrupt index (_internal).
You can run this command to check the index:

To check the metadata use this.

$SPLUNK/bin/splunk stop

$SPLUNK/bin/splunk cmd splunkd fsck --index _internal

To repair the metadata use this.

$SPLUNK/bin/splunk stop

$SPLUNK/bin/splunk cmd splunkd fsck --index _internal --mode metadata --repair

To rebuild the bucket use this.

$SPLUNK/bin/splunk stop

$SPLUNK/bin/splunk rebuild $SPLUNK/bin/splunk rebuild $SPLUNK/bin/splunk/var/lib/splunk/_internal/pathtobadbucket

Here is a link to a page that describes how to go about repairing indexes.
http://wiki.splunk.com/Check_and_Repair_Metadata

lmyrefelt · ‎02-11-2014

check also here for more / additional help / solution;

http://answers.splunk.com/answers/80882/corrupted-bucket-journal

Getting this error - then Splunkd crashes..

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation

Getting this error - then Splunkd crashes..

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+