Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cluster Master have SF/RF not meet due to a lot of bucket got status 'bucket hasn't rolled yet'

daniel_splunk
Splunk Employee
Splunk Employee
‎10-23-2018 08:57 PM

This message may go away if waiting for longer time. However, I don't want to wait and any command to roll all the bucket.

Tags (1)
0 Karma
Reply

daniel_splunk
Splunk Employee
Splunk Employee
‎10-23-2018 09:01 PM

You can run below search on your cluster master to get a list of bucket that have status="bucket hasn't rolled yet"

| rest splunk_server=local /services/cluster/master/fixup level=replication_factor 
| table title, latest.reason
| rename latest.reason AS LatestReason
| rename totle AS bucketID
| regex LatestReason="bucket hasn't rolled yet" | table buckekID

Once you got the bucketId, simple run below command on your Cluster Master will roll the bucket.

curl -k -u admin:changme https://localhost:8089/services/cluster/master/control/control/roll-hot-buckets  -d "bucket_id=<BUCIET_ID>”

For example,
curl -k -u admin:changeme https://localhost:8089/services/cluster/master/control/control/roll-hot-buckets  -d "bucket_id=_internal~4520~11111111-1111-1111-1111-111111111111”

IF you prefer, you can do this in batch mode.

e.g. cat /var/tmp/bucketId.txt
os~100~2FC3562D-9D2D-49CB-A598-89E47397E5D7
_internal~4523~11111111-1111-1111-1111-111111111111

for i in `cat /var/tmp/bucketId.txt`; do curl  -k -u admin:changeme https://localhost:8089/services/cluster/master/control/control/roll-hot-buckets -d "bucket_id=$i"; done
Reply

smallfry
Explorer
‎10-27-2018 02:19 AM

This is a great answer, even though it didn't work for me. For some reason, I constantly have hundreds of such bucket status that just didn't go away, even after restarting the CM and rolling-restart of my 7 indexers. When I ran this in batch mode, I had the following error message for every of the listed 685 buckets:

Cannot roll a bucket with bid=ciscolog~330~5442CDRE-2540-45C7-DD32-23D48D394D8F to warm, Reason="Master already has committed size for this bucket."

Any clue how to resolve this?

0 Karma
Reply

daniel_splunk
Splunk Employee
Splunk Employee
‎10-28-2018 05:56 PM

Did you try enable the maintenance mode and then restart the CM?

0 Karma
Reply

smallfry
Explorer
‎10-29-2018 07:08 PM

I went into the CM and enable maintenance mode, after which I then do a "splunk restart". However, it's still the same error. Any pointers will be appreciated.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...