Hello, I am seeing the following error while running Splunk search.
"idx=##INDEX NAME HERE## Could not read event: cd=0:33610. Results may be incomplete ! (logging only the first such error; enable DEBUG to see the rest)"
Any idea why it might be happening? How can I search more logging for this error.
I'm seeing a similar error. How would one ID the bucket that is a problem? What component should I put into Debug ?
Here's what i used-- kudos to splunk support for that one:
Ensure that you've got $SPLUNK_DB set in your environment (source $SPLUNK_HOME/bin/setSplunkEnv):
find $SPLUNK_DB -type f -wholename '/db/[dr]b_/rawdata/journal.gz' | perl -ne 'chomp;$d=$;$d=~s/journal.gz$//;if(-e "$d/slicesv2.dat"){@s=splunk cmd splunkd slices-dat-util --print \Q$d\E
;if(${^CHILD_ERROR_NATIVE}){print STDERR "Error processing $d\n"}elsif($s[$#s]!~/\d+:(?:\s+\d+){2}\s+(\d+)/){print STDERR "Error parsing results from $d\n"}else{print "$d\n" if $1 >= ((stat "$")[7])}}'
cheers
Try to stop the indexer and do a rebuild on the bucket. Therefore sometimes even if the rebuild seems successful the bucket is still corrupted (7.0.1)
I am also seeing this for the _internal index: [indexer] idx=_internal Could not read event: cd=(n/a). Results may be incomplete !
The "Could not read event: cd=(n/a)" bug has been fixed in 7.0.1