Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

HHow to restore the corrupted buckets

msplunk33
Path Finder
‎10-14-2020 05:17 PM

I have a  issue with one index in which the bucket is corrupted and I lost logs from this index for a period of time. How can I fix this.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2020 05:38 AM

Try running Splunk's fsck command.  See https://docs.splunk.com/Documentation/Splunk/Latest/Troubleshooting/CommandlinetoolsforusewithSuppor... and https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/Bucketissues

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

msplunk33
Path Finder
‎10-15-2020 04:05 PM

@richgalloway 

I have a clustered indexers in a multi site environment. DO I need to shutdown the full cluster to run the  

fsck command?

 

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-16-2020 05:47 AM

You only need to stop the indexer on which the corrupt bucket resides.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

msplunk33
Path Finder
‎10-16-2020 02:53 PM

@richgalloway 

 

If I shutdown one node alone can this case  search factor and replication factor met failure? Will the data generated during the shutdown period will be replicated to this nodes after we bring it up?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-18-2020 02:52 PM

Shutting down an indexer may affect the ability for Splunk for maintain the desired search and replication factors.  It depends on your architecture and the specific RF/SF settings.  It will only be temporary, though.  Once the indexer comes back up the RF and SF will resolve themselves.

Data onboarded while the indexer is down will be stored on the other indexer(s) and will be replicated to the restarted node, if necessary.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...