Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to resolve index buckets stuck in "Fixup Tasks - In Progress"?

Glasses2
Communicator
‎05-03-2024 04:03 PM

The other day a few alerts surfaced showing I had 6 large windows data buckets stuck "Fixup Task - In Progress".

I ran a query 

 

 

 

| dbinspect index=windows corruptonly=true
| search bucketId IN (windows~nnnn~guid,...)
| fields bucketId, path, splunk_server, corruptReason, state

 

 

 

and  found all the primary db_<buckets> from the alerts were corrupt.  You can also see it on the IDXCM bucket status.

I tried a few fsck repairs commands on the indexers where the primary buckets resided, but it failed due to error >>> failReason=No bloomfilter
then I tried >>>

 

 

 

./splunk fsck repair --one-bucket --bucket-path=/<path> --index-name=<indexName> --debug --v --backfill-never

 

 

 

 

After that it cleared and splunkd.log showed  >>> Successfully released lock for bucket with path...

I hope this information helps.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Glasses2
Communicator
‎05-03-2024 04:07 PM

The actual steps are:

1 find the corrupted bucket location with the dbinspect query
2 enable maintenance-mode on the IDXCM

3 take the indexer offline (where you want to repair the bucket) 

4 run the fsck repair command on the stopped indexer
5 start the indexer when finished
6 disable maintenance-mode on the IDXCM
7 let the IDXCluster heal
8 repeat steps for the next bucket 

Large buckets 10G take about 25min to repair

Goodluck

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Glasses2
Communicator
‎05-03-2024 04:07 PM

The actual steps are:

1 find the corrupted bucket location with the dbinspect query
2 enable maintenance-mode on the IDXCM

3 take the indexer offline (where you want to repair the bucket) 

4 run the fsck repair command on the stopped indexer
5 start the indexer when finished
6 disable maintenance-mode on the IDXCM
7 let the IDXCluster heal
8 repeat steps for the next bucket 

Large buckets 10G take about 25min to repair

Goodluck

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...