Here is the log entry from splunkd.log:
12-23-2013 11:47:26.478 -0500 ERROR StreamGroup - Dumping contents of file="/idm/idmt_home/splunk/var/lib/splunk/os/db/hot_v1_228/splunk-autogen-params.dat" txnPerSync=97:
12-23-2013 11:47:26.478 -0500 ERROR StreamGroup - SPLUNK AUTO-GENERATED FILE. DO NOT MODIFY.|129554|1844773|1114686|32866|97|
I've restarted Splunk with no success. I am on version Splunk 6.0 (build 182037)
Any suggestions?
Thanks
Another thing that might be pointer to check out, is if you have any events, not parsed correctly in this data.
I would check the klpitest index (in this case) for events with a linecount bigger than 1 (or what ever you expect from your events), and check if i have (a few) events with another timestamp or format in the data. (since this looks like an custom input, custom sourcetype(?) )
At least i found some events that had not been parsed correctly in those indexes reported by this "Stream group" error.
I did not however find any other errors or warnings regarding, parsing errors or what not in splunkd.log, for those who are wondering ...
I was seeing exactly the error as described by @khyoung, except the name of the hot bucket was different in my case (hot_v1_518 instead of hot_v1_1). I am on splunk 5.0.2 with "Splunk App for unix and linux" version 5.01. (I mention this because the OS db is used by this app). It did not hanging my browser, but I happened to be running a tail -f in the background piping to a grep for ERROR and this started showing up after I had stopped splunk, manually re-installed the app, and restarted splunk. (I had to manually re-install the app because someone here accidentally rm'd something in there.)
So, I went searching for this error and found your splunk question and comments, and as no one had any answers -- and I had already tried stopping and starting splunk, I decided to try this (WARNING -- stop splunk first!)
splunk fsck --repair --index os --all
an guess what? After I restarted splunk I did not see this error anymore. See if it works for you.
Is it possible that there's a single line event written into the logs that is extraordinarily long? I recently found that single line events with tens of thousands or hundreds of thousands of characters can hang the browser.
I'm getting this too, and I can't seem to figure it out. Have you guys had any luck yet?
Me too....
I am on version Splunk 6.0.1 and using *NIX
01-13-2014 16:08:34.380 +0900 ERROR StreamGroup - SPLUNK AUTO-GENERATED FILE. DO NOT MODIFY.|134044|1554700|1117670|32830|61|
01-13-2014 16:08:34.380 +0900 ERROR StreamGroup - <<<EOF file="/opt/sp_test/splunk/var/lib/splunk/os/db/hot_v1_1/splunk-autogen-params.dat"
01-13-2014 16:09:04.379 +0900 ERROR StreamGroup - Dumping contents of file="/opt/sp_test/splunk/var/lib/splunk/os/db/hot_v1_1/splunk-autogen-params.dat" txnPerSync=61: