Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to resolve index buckets stuck in "Fixup Tasks - In Progress"?

Glasses2
Communicator
‎05-03-2024 04:03 PM

The other day a few alerts surfaced showing I had 6 large windows data buckets stuck "Fixup Task - In Progress".

I ran a query 

 

 

 

| dbinspect index=windows corruptonly=true
| search bucketId IN (windows~nnnn~guid,...)
| fields bucketId, path, splunk_server, corruptReason, state

 

 

 

and  found all the primary db_<buckets> from the alerts were corrupt.  You can also see it on the IDXCM bucket status.

I tried a few fsck repairs commands on the indexers where the primary buckets resided, but it failed due to error >>> failReason=No bloomfilter
then I tried >>>

 

 

 

./splunk fsck repair --one-bucket --bucket-path=/<path> --index-name=<indexName> --debug --v --backfill-never

 

 

 

 

After that it cleared and splunkd.log showed  >>> Successfully released lock for bucket with path...

I hope this information helps.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Glasses2
Communicator
‎05-03-2024 04:07 PM

The actual steps are:

1 find the corrupted bucket location with the dbinspect query
2 enable maintenance-mode on the IDXCM

3 take the indexer offline (where you want to repair the bucket) 

4 run the fsck repair command on the stopped indexer
5 start the indexer when finished
6 disable maintenance-mode on the IDXCM
7 let the IDXCluster heal
8 repeat steps for the next bucket 

Large buckets 10G take about 25min to repair

Goodluck

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Glasses2
Communicator
‎05-03-2024 04:07 PM

The actual steps are:

1 find the corrupted bucket location with the dbinspect query
2 enable maintenance-mode on the IDXCM

3 take the indexer offline (where you want to repair the bucket) 

4 run the fsck repair command on the stopped indexer
5 start the indexer when finished
6 disable maintenance-mode on the IDXCM
7 let the IDXCluster heal
8 repeat steps for the next bucket 

Large buckets 10G take about 25min to repair

Goodluck

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...