Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

remove excess buckets

jariw
Path Finder
‎01-24-2022 02:59 AM

Hi,

some questions...

Last weekend we've got an error on the indexers. It is a multisite indexers with 6<>6 indexers (each site 6 indexers). 

Some indexers went down and the data storage went sky high. Stil not sure why. But when we started the indexers which where down, the data storage went partly back on nomal except one indexer.

I noticed a lot off excess buckets...  very very much. I started removing these buckets,  but it stopped on one point and never went further with cleaning.  Could this be because of the data part of this one indexer is full (it is at this moment in automatic detention state).

I don't see the activity on the cluster master, so it seems it is finished.. but i can't start a new action to clean, is says "Previously scheduled Remove Excess Buckets is running". 

I tried a rolling restart (in maint mode), but it doesn't allow because of the "remove excess buckets is running"..

How can i stop this "Previously scheduled Remove Excess Buckets is running"  ?

thanks in advance..

Labels (2)
0 Karma
Reply

pellegrini
Path Finder
‎07-08-2024 04:22 AM

Restart splunkd on CM worked fine for me when "Previously scheduled Remove Excess Buckets is running", been hanging for days.

0 Karma
Reply

jariw
Path Finder
‎01-24-2022 05:24 AM

It solved itself after restart two ther indexers and remove excess buckets per index (what strangly was allowed).

After a while it seems there was enough space for removing the rest off the excess buckets.

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-25-2022 01:18 PM
Usually you could fix this kind of situations by rebooting CM.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...