Splunk Search

Rawdata may be corrupt

profileaudio
New Member

Hi anyone and everyone,

Please could somebody help.

I have been using Splunk for the past 2 and a half years.
I am using Splunk 5 and whenever I install a Splunk update over the existing Splunk 5, Splunk starts up as normal but after I perform a search, all the data will show until it gets to a point where it all vanishes and is replaced by the following.

Error in 'databasePartitionPolicy': Failed to read 1 event(s) from rawdata in bucket 'main~178~02C5891B-D87B-444E-9AEC-E9C8E3E45913'. Rawdata may be corrupt, see search.log

At this point I just reinstall the previous version as I need the search data.

As I know I am going to have to update it for good at some point can any one fix this corruption issue?

Kind regards,

Paul

0 Karma

lukejadamec
Super Champion

I've run into this before also, and there is a fix IF the actual data in the bucket is not corrupt. If the bucket raw data is truly corrupt, it cannot be fixed.

Here is a good place to read about fixing bad buckets:

http://wiki.splunk.com/Community:PostCrashFsckRepair

The repair routine never worked for me, so I use the rebuild instructions. However, sometimes those also fail for me, so modify the instructions a bit...

First try the instructions as written. If that fails try this on a copy of the bucket.

Remove all files inside the bucket except journal.gz - don't change the folder structure. Run rebuild on the bucket again, and it will be rebuilt from raw data. If that fails, then the data is likely unrecoverable.

asmithe
Path Finder

I have this same problem. Any answers?

Updated answer:

Without a service contract it is very difficult to get answers or a solution to this problem that dont include some data loss.

Ultimately, I had to track down the data buckets that had the corrupt data and remove them. Some of my SOS data is also corrupted and i never have gotten around to sorting out which data needs to be gone.

0 Karma

khyoung7410
Communicator

I have this same problem. Any answers?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...