Splunk Enterprise

bucket status an change masks failed

jariw
Explorer

Hi,

two questions

One : In our environment we have got a multi site cluster with multiple peers.  In the bucket status we have got much errors which the  fixe up reason "change masks failed" and with current status "Cannot replicate as bucket hasn't rolled yet" .

Whats does that  "change masks failed" mean? And what to do about it?

Second question,  is there a possibility to resync the buckets with a cli command or other command line to sync multiple buckets (say about a 1000+ buckets) ?  Doing them all by hand is ... let's say.... time consuming

thanx in advance for the answer.

greetz

Jari

 

0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

In 8.1.3 and 8.1.4 (at least) seems to be bug (not confirmed by splunk yet) which try to replicate already partially frozen buckets. See more https://community.splunk.com/t5/Deployment-Architecture/Frozen-Buckets-with-Error-Cannot-replicate-a...

Basically you could create shell/python etc. scripts which you could use for syncing.

r. Ismo

View solution in original post

0 Karma

jariw
Explorer

Hi R. Ismo.

 

Thanks for the link. I am already checking it out. Could you give me a clue for the python script?? Or a link to some info?

Thanx in advance

Greets

jari

0 Karma

jariw
Explorer

Restarting the CM did the trick. Al the fixup tasks are gone. It is temperarely, they come back slowly .. Waiting for the fix in the future..

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Have you already reported this to splunk support? If not please do it. And you should mention that there is already couple of other tickets for that issue.
0 Karma

jariw
Explorer

Just reported it (thanx for the advise).  Lets wait for a solution, clicking the status warnings  away is not amusing...

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Short update for this case.
In our multisite cluster this issue has vanished as all those buckets have frozen now. We are still investigating this with splunk, but lets see if they can reproduce this in their own environment as this didn't seem to be common issue.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

In 8.1.3 and 8.1.4 (at least) seems to be bug (not confirmed by splunk yet) which try to replicate already partially frozen buckets. See more https://community.splunk.com/t5/Deployment-Architecture/Frozen-Buckets-with-Error-Cannot-replicate-a...

Basically you could create shell/python etc. scripts which you could use for syncing.

r. Ismo

View solution in original post

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!