Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searchquery error

Reethika
Path Finder
‎07-16-2020 05:49 AM

Hi, While I'm running splunk  for a search for timeperiod = 1year.

I always getting this error

[xxxxindexernamexxxx]  Failed to read size=1 event(s) from rawdata in bucket='os~708~1FBB5DA1-4091-4DEA-9134-E6C689617D66' path='/opt/splunkcolddata/os/colddb/rb_1590815402_1590790190_708_1FBB5DA1-4091-4DEA-9134-E6C689617D66. Rawdata may be corrupt, see search.log. Results may be incomplete!

 

Does this mean that particular file "rb_1590815402_1590790190_708_1FBB5DA1-4091-4DEA-9134-E6C689617D66" is corrupted?

If so can we retrieve this? 

Thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-16-2020 09:49 AM

It means that specific file may be corrupt.  You have two options:

  1. Run the Splunk fsck command to scan and/or repair the bucket.  See https://docs.splunk.com/Documentation/Splunk/8.0.4/Troubleshooting/CommandlinetoolsforusewithSupport...
  2. Since this is a replicated bucket (based on the "rb_" prefix), stop the indexer, delete the bucket, then restart the indexer.  The cluster master will create a new replicate bucket.

     UPDATE: the "rb_" prefix means the bucket was a replicate when it was first created.  However, it may now be the primary bucket if the original primary was lost (buckets are not renamed in that case).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-16-2020 09:49 AM

It means that specific file may be corrupt.  You have two options:

  1. Run the Splunk fsck command to scan and/or repair the bucket.  See https://docs.splunk.com/Documentation/Splunk/8.0.4/Troubleshooting/CommandlinetoolsforusewithSupport...
  2. Since this is a replicated bucket (based on the "rb_" prefix), stop the indexer, delete the bucket, then restart the indexer.  The cluster master will create a new replicate bucket.

     UPDATE: the "rb_" prefix means the bucket was a replicate when it was first created.  However, it may now be the primary bucket if the original primary was lost (buckets are not renamed in that case).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...