Splunk Enterprise

bucket status an change masks failed

jariw
Path Finder

Hi,

two questions

One : In our environment we have got a multi site cluster with multiple peers.  In the bucket status we have got much errors which the  fixe up reason "change masks failed" and with current status "Cannot replicate as bucket hasn't rolled yet" .

Whats does that  "change masks failed" mean? And what to do about it?

Second question,  is there a possibility to resync the buckets with a cli command or other command line to sync multiple buckets (say about a 1000+ buckets) ?  Doing them all by hand is ... let's say.... time consuming

thanx in advance for the answer.

greetz

Jari

 

0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

In 8.1.3 and 8.1.4 (at least) seems to be bug (not confirmed by splunk yet) which try to replicate already partially frozen buckets. See more https://community.splunk.com/t5/Deployment-Architecture/Frozen-Buckets-with-Error-Cannot-replicate-a...

Basically you could create shell/python etc. scripts which you could use for syncing.

r. Ismo

View solution in original post

0 Karma

jariw
Path Finder

Hi R. Ismo.

 

Thanks for the link. I am already checking it out. Could you give me a clue for the python script?? Or a link to some info?

Thanx in advance

Greets

jari

0 Karma

jariw
Path Finder

Restarting the CM did the trick. Al the fixup tasks are gone. It is temperarely, they come back slowly .. Waiting for the fix in the future..

isoutamo
SplunkTrust
SplunkTrust
Have you already reported this to splunk support? If not please do it. And you should mention that there is already couple of other tickets for that issue.
0 Karma

jariw
Path Finder

Just reported it (thanx for the advise).  Lets wait for a solution, clicking the status warnings  away is not amusing...

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Short update for this case.
In our multisite cluster this issue has vanished as all those buckets have frozen now. We are still investigating this with splunk, but lets see if they can reproduce this in their own environment as this didn't seem to be common issue.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

In 8.1.3 and 8.1.4 (at least) seems to be bug (not confirmed by splunk yet) which try to replicate already partially frozen buckets. See more https://community.splunk.com/t5/Deployment-Architecture/Frozen-Buckets-with-Error-Cannot-replicate-a...

Basically you could create shell/python etc. scripts which you could use for syncing.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...