- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Failing manual Splunk-optimize when 'The index pro...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I've started to get this error message:
The index processor has paused data flow. Too many tsidx files in idx=_audit bucket="/opt/splunk/var/lib/splunk/audit/db/hot_v1_13" , waiting for the splunk-optimize indexing helper to catch up merging them. Ensure reasonable disk space is available, and that I/O write throughput is not compromised.
I then tried the manual splunk-optimize, but that returned this error message:
tm= 1568090447 ERROR merge failed for path=/opt/splunk/var/lib/splunk/audit/db/hot_v1_13 rc=-2 wrc=-2 errno=12 file=/opt/splunk/var/lib/splunk/audit/db/hot_v1_13/1567134306-1567134305-16403447236531428423.tsidx hint=_init_reader_helper in _merge_all_postings_n]
tm= 1568090447 ERROR optimize finished: failed, see rc for more details, dir=/opt/splunk/var/lib/splunk/audit/db/hot_v1_13, rc=-2 (unsigned 254), errno=12
tm= 1568090447 INFO exiting splunk-optimize process with rc=-2 (unsigned 254)
I've tried to search for "errno=12", but I can't find any info regarding it (just other error numbers).
All my indexes have default settings.
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you run into a situation of too many tsidx files and splunk can't resolve it by it self. Try restarting splunk with splunk restart Upon starting splunk again, all hot buckets will be rolled to warm and the tsidx files gets merged into fewer files.
Watch the stdout from the restart comand to see if it throws any errors and review $SPLUNK_HOME/var/log/splunk/splunkd.log and lookout for any WARN or ERROR messages following the last shutdown.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm encountering the exact same error, only for another index. And it happens a lot, nearly on a daily basis (work days)
Is there any new update on this topic please ?
Thank you for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you run into a situation of too many tsidx files and splunk can't resolve it by it self. Try restarting splunk with splunk restart Upon starting splunk again, all hot buckets will be rolled to warm and the tsidx files gets merged into fewer files.
Watch the stdout from the restart comand to see if it throws any errors and review $SPLUNK_HOME/var/log/splunk/splunkd.log and lookout for any WARN or ERROR messages following the last shutdown.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
