Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Possible Bad Pointer in Index or Database?

dladkisson
New Member
‎05-04-2011 06:39 AM

After a system reboot for updates, SplunkWeb didn't not relaunch successfully after restart. After letting it sit for a few minutes SplunkWeb did finally launch however it appears that perhaps there was a corruption in the event database.

All I am feeding into it right now is Cisco IDS events using the Splunk_CiscoIPS plugin; latest versions of both the plugin and Splunk.

I cannot seem to find in the documentation a way to check the event database for errors nor figure out which database may even be affected.

If I start a query that overlaps the 15/20 minutes where the Splunkweb was down, the search hangs when it gets to that period. Searching outside the 'damaged' period returns results just fine.

Any suggestions would be greatly appreciated.

Tags (2)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-05-2011 04:44 PM

It sounds like you may have a corrupted bucket. No real great answer here, except you probably would be best off to open a support case.

You could try quasi-randomly moving buckets out of your index directories. The dbinspect command might help you figure out which buckets match the time ranges of interest. Obviously, this approach may cause you to have data loss, where support might (if you're lucky) be able to avoid that.

0 Karma
Reply
Get Updates on the Splunk Community!

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...