Hi @richgalloway, This is with respect to your solution posted in https://community.splunk.com/t5/Splunk-Search/Searchquery-error/m-p/509508. Since the thread is of 2020 and it is marked as resolved...
See more...
Hi @richgalloway, This is with respect to your solution posted in https://community.splunk.com/t5/Splunk-Search/Searchquery-error/m-p/509508. Since the thread is of 2020 and it is marked as resolved, I have created this new thread. The issue is about error message observed in Splunk index=_internal: - Failed to read size=1 event(s) from rawdata in bucket Rawdata may be corrupt, see search.log. Results may be incomplete! You shared if bucket prefix is "rb_", it is a replicated bucket and thus, we should stop the indexer, delete the bucket, then restart the indexer. The cluster master will create a new replicate bucket. I need your inputs when prefix is: "db_", what does it stand for and what all actions to take for it? Secondly, I also observed bucket prefix: - "hot_v1". Thus, would want to know what it stands for and what all actions to take for it? Thirdly, you stated the specific file may be corrupt. I need your inputs on below: - 1. How do I find if the file became corrupt or if the reason is different? 2. How do I find the details of the file if it got corrupt such as: - 2.1 From which forwarder the data was sent? 2.2 At what timestamp did the file become corrupt? Thank you