Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Searchquery error

Reethika
Path Finder
‎07-16-2020 05:49 AM

Hi, While I'm running splunk  for a search for timeperiod = 1year.

I always getting this error

[xxxxindexernamexxxx]  Failed to read size=1 event(s) from rawdata in bucket='os~708~1FBB5DA1-4091-4DEA-9134-E6C689617D66' path='/opt/splunkcolddata/os/colddb/rb_1590815402_1590790190_708_1FBB5DA1-4091-4DEA-9134-E6C689617D66. Rawdata may be corrupt, see search.log. Results may be incomplete!

 

Does this mean that particular file "rb_1590815402_1590790190_708_1FBB5DA1-4091-4DEA-9134-E6C689617D66" is corrupted?

If so can we retrieve this? 

Thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-16-2020 09:49 AM

It means that specific file may be corrupt.  You have two options:

  1. Run the Splunk fsck command to scan and/or repair the bucket.  See https://docs.splunk.com/Documentation/Splunk/8.0.4/Troubleshooting/CommandlinetoolsforusewithSupport...
  2. Since this is a replicated bucket (based on the "rb_" prefix), stop the indexer, delete the bucket, then restart the indexer.  The cluster master will create a new replicate bucket.

     UPDATE: the "rb_" prefix means the bucket was a replicate when it was first created.  However, it may now be the primary bucket if the original primary was lost (buckets are not renamed in that case).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-16-2020 09:49 AM

It means that specific file may be corrupt.  You have two options:

  1. Run the Splunk fsck command to scan and/or repair the bucket.  See https://docs.splunk.com/Documentation/Splunk/8.0.4/Troubleshooting/CommandlinetoolsforusewithSupport...
  2. Since this is a replicated bucket (based on the "rb_" prefix), stop the indexer, delete the bucket, then restart the indexer.  The cluster master will create a new replicate bucket.

     UPDATE: the "rb_" prefix means the bucket was a replicate when it was first created.  However, it may now be the primary bucket if the original primary was lost (buckets are not renamed in that case).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...