Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Roll Hot Bucket into warm-Error

rajuljain1990
Explorer
‎01-07-2015 02:36 AM

I am trying to roll hot bucket using following cmd, and it it throwing error ,with http status=503,
Please tell me, where I am doing mistake:
C:\Program Files\Splunk\bin>splunk _internal call /data/indexes/olym/roll-hot-buckets -auth admin:changeme
QUERYING: 'https://127.0.0.1:8089/services/data/indexes/olym/roll-hot-buckets'
FAILED: 'HTTP/1.1 503 Service Unavailable'
Content:

<msg type="ERROR">

In handler 'indexes': could not queue custom action='roll-hot-buckets' for idx=olym

0 Karma
Reply

melcher
Explorer
‎09-14-2016 11:08 AM

I had a similar issue. I found out that I had actually run out of disk space on the RAID where my indexes were stored. That may be something to look into.

0 Karma
Reply

abacus_machine_
Engager
‎01-07-2015 04:59 AM

Which version of Splunk you are using?

0 Karma
Reply

rajuljain1990
Explorer
‎01-07-2015 09:30 PM

I am using Splunk 6.2.0 (build 237341)

0 Karma
Reply

rajuljain1990
Explorer
‎01-07-2015 04:39 AM

Hi Michael,

Splunk is running and working fine. I am not able to get relevant logs in splunkd.

PS: I am searching the logs in C:\ Program Files\ Splunk\ var\ log\ splunk\ splunkd location. Correct me if I am wrong.

Thanks,
Rajul

0 Karma
Reply

MuS
Legend
‎01-07-2015 04:46 AM

Okay, may I ask why you want to do this? If you do it because you want to backup see the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Backupindexeddata and most important this part of it:

Important: It is ordinarily not advisable to roll hot buckets manually, as each forced roll permanently decreases search performance over the data. As a general rule, larger buckets are more efficient to search. By prematurely rolling buckets, you're producing smaller, less efficient buckets. In cases where hot data needs to be backed up, a snapshot backup is the preferred method.

What happens if you try to roll the _internal index like this:

splunk _internal call /data/indexes/_internal/roll-hot-buckets -auth admin:changeme
0 Karma
Reply

rajuljain1990
Explorer
‎01-07-2015 09:29 PM

Hi Michael,
I want to do this for R & D purpose. It is my home lab not the critical servers.

I tried it for the index "_internal", it is throwing the same error:

C:\Program Files\Splunk\bin>splunk _internal call /data/indexes/_internal/roll-h
ot-buckets -auth admin:changeme
QUERYING: 'https://127.0.0.1:8089/services/data/indexes/_internal/roll-hot-bucke
ts'
FAILED: 'HTTP/1.1 503 Service Unavailable'
Content:

<msg type="ERROR">

In handler 'indexes': could not queue custom action='roll-hot-buckets' for idx=
_internal

Regards,
Rajul

0 Karma
Reply

MuS
Legend
‎01-07-2015 03:52 AM

Is your Splunk running and working? run splunk status also check splunkd.log

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...