Hi,
A bucket id is made of three parts, index, local sequence, and GUID. "index" is the name of the data index and "GUID" is the global unique ID of the indexer (or Splunk server). For a given index, both "index" and "GUID" are invariant when splunkd generates a new bucket id. The only variant part is the bucket local sequence that is saved in the metadata file "var/lib/splunk/.dat". So, the root cause of bucket id conflicts is that two buckets have the same local sequence number accidentally when splunkd adds a new hot bucket or replicates a clustered bucket. Moreover, restoring the buckets from backup archives likely causes the bucket id conflicts.
Write a script to either disable the duplicate bucket or rename it before rebuild it.
Thanks!
... View more