Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searchquery error

Reethika
Path Finder
‎07-16-2020 05:49 AM

Hi, While I'm running splunk  for a search for timeperiod = 1year.

I always getting this error

[xxxxindexernamexxxx]  Failed to read size=1 event(s) from rawdata in bucket='os~708~1FBB5DA1-4091-4DEA-9134-E6C689617D66' path='/opt/splunkcolddata/os/colddb/rb_1590815402_1590790190_708_1FBB5DA1-4091-4DEA-9134-E6C689617D66. Rawdata may be corrupt, see search.log. Results may be incomplete!

 

Does this mean that particular file "rb_1590815402_1590790190_708_1FBB5DA1-4091-4DEA-9134-E6C689617D66" is corrupted?

If so can we retrieve this? 

Thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-16-2020 09:49 AM

It means that specific file may be corrupt.  You have two options:

  1. Run the Splunk fsck command to scan and/or repair the bucket.  See https://docs.splunk.com/Documentation/Splunk/8.0.4/Troubleshooting/CommandlinetoolsforusewithSupport...
  2. Since this is a replicated bucket (based on the "rb_" prefix), stop the indexer, delete the bucket, then restart the indexer.  The cluster master will create a new replicate bucket.

     UPDATE: the "rb_" prefix means the bucket was a replicate when it was first created.  However, it may now be the primary bucket if the original primary was lost (buckets are not renamed in that case).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-16-2020 09:49 AM

It means that specific file may be corrupt.  You have two options:

  1. Run the Splunk fsck command to scan and/or repair the bucket.  See https://docs.splunk.com/Documentation/Splunk/8.0.4/Troubleshooting/CommandlinetoolsforusewithSupport...
  2. Since this is a replicated bucket (based on the "rb_" prefix), stop the indexer, delete the bucket, then restart the indexer.  The cluster master will create a new replicate bucket.

     UPDATE: the "rb_" prefix means the bucket was a replicate when it was first created.  However, it may now be the primary bucket if the original primary was lost (buckets are not renamed in that case).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...