Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cluster Master have SF/RF not meet due to a lot of bucket got status 'bucket hasn't rolled yet'

daniel_splunk
Splunk Employee
Splunk Employee
‎10-23-2018 08:57 PM

This message may go away if waiting for longer time. However, I don't want to wait and any command to roll all the bucket.

Tags (1)
0 Karma
Reply

daniel_splunk
Splunk Employee
Splunk Employee
‎10-23-2018 09:01 PM

You can run below search on your cluster master to get a list of bucket that have status="bucket hasn't rolled yet"

| rest splunk_server=local /services/cluster/master/fixup level=replication_factor 
| table title, latest.reason
| rename latest.reason AS LatestReason
| rename totle AS bucketID
| regex LatestReason="bucket hasn't rolled yet" | table buckekID

Once you got the bucketId, simple run below command on your Cluster Master will roll the bucket.

curl -k -u admin:changme https://localhost:8089/services/cluster/master/control/control/roll-hot-buckets  -d "bucket_id=<BUCIET_ID>”

For example,
curl -k -u admin:changeme https://localhost:8089/services/cluster/master/control/control/roll-hot-buckets  -d "bucket_id=_internal~4520~11111111-1111-1111-1111-111111111111”

IF you prefer, you can do this in batch mode.

e.g. cat /var/tmp/bucketId.txt
os~100~2FC3562D-9D2D-49CB-A598-89E47397E5D7
_internal~4523~11111111-1111-1111-1111-111111111111

for i in `cat /var/tmp/bucketId.txt`; do curl  -k -u admin:changeme https://localhost:8089/services/cluster/master/control/control/roll-hot-buckets -d "bucket_id=$i"; done
Reply

smallfry
Explorer
‎10-27-2018 02:19 AM

This is a great answer, even though it didn't work for me. For some reason, I constantly have hundreds of such bucket status that just didn't go away, even after restarting the CM and rolling-restart of my 7 indexers. When I ran this in batch mode, I had the following error message for every of the listed 685 buckets:

Cannot roll a bucket with bid=ciscolog~330~5442CDRE-2540-45C7-DD32-23D48D394D8F to warm, Reason="Master already has committed size for this bucket."

Any clue how to resolve this?

0 Karma
Reply

daniel_splunk
Splunk Employee
Splunk Employee
‎10-28-2018 05:56 PM

Did you try enable the maintenance mode and then restart the CM?

0 Karma
Reply

smallfry
Explorer
‎10-29-2018 07:08 PM

I went into the CM and enable maintenance mode, after which I then do a "splunk restart". However, it's still the same error. Any pointers will be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...