Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Errors

sriva6
New Member
‎02-26-2013 03:28 AM

Hi, I am getting this error when I open one of my dashboards today.

" Error in 'databasePartitionPolicy': Failed to read 1 event(s) from rawdata in bucket 'main-xxxxxx'. Rawdata may be corrupt, see search.log."

this is what i see in search.log

02-26-2013 11:22:21.540 INFO DispatchCommand - Round Robin Threaded ProviderQueue: done reading from peer 'BP1LCSAP031'
02-26-2013 11:22:23.506 ERROR JournalSlice - Cannot seek to 74529344
02-26-2013 11:22:23.506 ERROR databasePartitionPolicy - Failed to read event at address=2329042 in rawdata directory: \reuxeuss019-f07\splunk_index\defaultdb\db\db_1361833650_1361568580_55\rawdata
02-26-2013 11:22:23.506 ERROR databasePartitionPolicy - Failed to read 1 event(s) from rawdata in bucket 'main~55~004CC9C7-AEAA-4C5A-B3C7-2B22F4A91F7D'. Rawdata may be corrupt, see search.log
02-26-2013 11:22:23.521 INFO IndexScopedSearch - PREAD_HISTOGRAM: usec_1_8=3718 usec_8_64=0 usec_64_512=0 usec_512_4096=0 usec_4096_32768=9

Any suggestions please?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎02-26-2013 04:38 AM

You may need to manually run FSCK against your buckets, have a look here for the detail;
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/HowSplunkstoresindexes#Troubleshoot_your_...

Also, if you store your buckets on another filesystem/partition make sure that there are no issues with permissions or the user that Splunk is running as can access them still.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎02-26-2013 04:38 AM

You may need to manually run FSCK against your buckets, have a look here for the detail;
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/HowSplunkstoresindexes#Troubleshoot_your_...

Also, if you store your buckets on another filesystem/partition make sure that there are no issues with permissions or the user that Splunk is running as can access them still.

0 Karma
Reply
Solved! Jump to solution

sriva6
New Member
‎02-26-2013 07:45 AM

running FSCK helped

0 Karma
Reply
Solved! Jump to solution

sriva6
New Member
‎02-26-2013 03:58 AM

No, I haven't tried a reboot yet but this was working fine till yesterday. Also, I see these as well in the indexing errors:

INFO databasePartitionPolicy - idx=_audit Moving from='hot_v1_48' to warm='write error on hot bucket'
» 2/26/13
11:46:04.961 AM
02-26-2013 11:46:04.961 +0000 ERROR databasePartitionPolicy - Unable to write raw: for idx=_audit, path='\reuxeuss019-f07\splunk_index\audit\db\hot_v1_48'
» 2/26/13
11:45:26.989 AM
02-26-2013 11:45:26.989 +0000 INFO databasePartitionPolicy - idx=_internal Moving from='hot_v1_67' to warm='write error on hot bucket'

0 Karma
Reply
Solved! Jump to solution

SplunkFu
Path Finder
‎02-26-2013 03:53 AM

tried a reboot of splunkd? this may rebuild corrupt sections.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...