Solved: Splunkd Bucket error

gowtham08091 · ‎07-10-2020

Hello,

Recently I been getting Bucket error in index processor everyday. I am rebooting the Splunkd service everyday to get rid of this error.

How to identify the root cause of this issue and fix it.

error attached

Thanks

isoutamo · ‎07-11-2020

Can you click item “Bucket” to get the details of error and also look what you can found from internal logs (e.g. index=_internal sourcetype=splunkd bucket)?

r. Ismo

View solution in original post

isoutamo · ‎07-11-2020

Can you click item “Bucket” to get the details of error and also look what you can found from internal logs (e.g. index=_internal sourcetype=splunkd bucket)?

r. Ismo

richgalloway · ‎07-11-2020

What details do you have about the error?
Click on the red Buckets text to get them. Or check splunkd.log.

---
If this reply helps you, Karma would be appreciated.

gowtham08091 · ‎07-12-2020

Hello,

I get a response with one of my index

"Root Cause(s):
The percentage of small of buckets created (100) over the last hour is very high and exceeded the red thresholds (50) for index=jenkins_statistics, and possibly more indexes, on this indexer"

Any idea how to fix this issue.

isoutamo · ‎07-13-2020

Hi

if you don’t use smartstore then you should update your indexes.conf with maxDataSize = auto_high_volume for that index if this behavior is regular.

r. Ismo

Splunkd Bucket error

troubleshooting

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases