Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Rawdata may be corrupt

profileaudio
New Member
‎06-05-2013 10:53 PM

Hi anyone and everyone,

Please could somebody help.

I have been using Splunk for the past 2 and a half years.
I am using Splunk 5 and whenever I install a Splunk update over the existing Splunk 5, Splunk starts up as normal but after I perform a search, all the data will show until it gets to a point where it all vanishes and is replaced by the following.

Error in 'databasePartitionPolicy': Failed to read 1 event(s) from rawdata in bucket 'main~178~02C5891B-D87B-444E-9AEC-E9C8E3E45913'. Rawdata may be corrupt, see search.log

At this point I just reinstall the previous version as I need the search data.

As I know I am going to have to update it for good at some point can any one fix this corruption issue?

Kind regards,

Paul

0 Karma
Reply

lukejadamec
Super Champion
‎02-09-2014 10:51 AM

I've run into this before also, and there is a fix IF the actual data in the bucket is not corrupt. If the bucket raw data is truly corrupt, it cannot be fixed.

Here is a good place to read about fixing bad buckets:

http://wiki.splunk.com/Community:PostCrashFsckRepair

The repair routine never worked for me, so I use the rebuild instructions. However, sometimes those also fail for me, so modify the instructions a bit...

First try the instructions as written. If that fails try this on a copy of the bucket.

Remove all files inside the bucket except journal.gz - don't change the folder structure. Run rebuild on the bucket again, and it will be rebuilt from raw data. If that fails, then the data is likely unrecoverable.

Reply

asmithe
Path Finder
‎12-02-2013 09:13 PM

I have this same problem. Any answers?

Updated answer:

Without a service contract it is very difficult to get answers or a solution to this problem that dont include some data loss.

Ultimately, I had to track down the data buckets that had the corrupt data and remove them. Some of my SOS data is also corrupted and i never have gotten around to sorting out which data needs to be gone.

0 Karma
Reply

khyoung7410
Communicator
‎07-08-2018 11:35 PM

I have this same problem. Any answers?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...