When trying to fix corrupted buckets with gunzip j...

tlabue · ‎06-21-2018

I am running Splunk v6.6.3. I've found corrupted buckets and have tried to fix via the:

splunk fsck repair --one-bucket --index-name=indextest--bucket-name=db_1502353482_1504459082_1 --try-warm-then-cold
command.

This failed for me on all the buckets. I tried to repair with the following error:

Error reading rawdata: Error reading compressed journal while streaming: gzip data truncated.

I also tried this method I saw in the Answers:
1. cd to bucket's rawdata directory
2. gunzip journal.gz (this will produce a journal file)
3. gzip -c journal > journal.gz (recompresses the journal file into journal.gz)
4. delete journal
5. Re-run the repair command above and restart the the splunk server.

However, the gunzip journal.gz command also failed with the following error: unexpected end of file.

Is there something else I can try to repair the corrupted journal.gz files?

bstimely · ‎11-05-2018

I had the same problem and went down the same path using gunzip.
In the end it was not helpful. I was able to recover from the original bucket by using the exporttool.

Stop splunk of disable the index
mv corrupt directory to /tmp
splunk cmd exporttool -csv
splunk cmd importtool

mv the newbucketdirectory back into the db
restart splunk.

When trying to fix corrupted buckets with gunzip journal.gz, why am I getting the following error? : "unexpected end of file".

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)