splunk command to repair buckets

kteng2024 · ‎03-23-2017

hi,

can i please know the splunk command to rebuild the buckets in a directory . I used splunk rebuild directory_name but not working.

saramamurthy_sp · ‎08-30-2019

Hi

You can use the below command to rebuild the buckets, from the raw data file alone.

$plunk_home/bin/splunk rebuild

You can use the fsck command on the indexers to repair them as well.

$plunk_home/bin/splunk fsck repair --all-buckets-all-indexes

his will rebuild hot/warm/cold in all indexes.

If you require it in a single index, then you can use the below command.

$plunk_home/bin/splunk fsck repair --all-buckets-one-index --index-name=

Below is the document which will help you to understand better.

https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Bucketissues

mbadhusha_splun · ‎11-23-2017

Hi,

Splunk built-in "rebuild" command is for single bucket. The indexer automatically deletes the old index and metadata files and rebuilds them. You don't need to delete any files yourself.

You can use the below command to rebuild a single bucket

splunk rebuild (name of the bucket directory)

Refer the below link for more details regarding the same.

https://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/Bucketissues

Cheers,
Meeran.

somesoni2 · ‎03-23-2017

The rebuild command can rebuild one data bucket at a time. DOes your directory_name is full/relative path to your data bucket that you want to rebuild?

adonio · ‎03-24-2017

are you looking for the fsck command?
https://wiki.splunk.com/Community:PostCrashFsckRepair

splunk command to repair buckets

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life