Deployment Architecture

When check-integrity reveals a bad bucket, do numbers for the bad slices get reported?

garylutchansky
New Member

I'm doing research on Splunk. I don't have direct access the product. I saw in a Splunk-provided presentation that "a bad bucket result returns the bucket number and slice number for a changed slice/bucket". Is this true? Here's the presentation:

https://conf.splunk.com/session/2015/conf2015_DBhagi_Splunk_SplunkEntWhatsNew_DataIntegrityControl.p...
Note: apparently karma is needed to post links. The presentation was by Dhruva Bhagi, Sr. Software Engineer at Splunk. The presentation is titled "Data Integrity Control".

I'd like to confirm this behavior. The check-integrity command and a snippet of sample output would be fantastic.

Thanks!
gary

0 Karma

jdumont33
Explorer

Hello gary,

Yes it does tell you which slice is wrong with this kind of message:

Integrity check failed for bucket with path=/opt/splunk/XXXXXXXX/index/db/rb_1480438183_1478748435_95_D6AXXXXXXXXX, Reason=Hash of journal slice# 45718 did not match the expected value in l1Hashes_95_D6AXXXXXXXXX.dat

I haven't yet tried to understand which event inside the bucket is wrong based on the slice number and the slices size.

In our case we have an indexer cluster, when this message pops we replace the bucket (in this exemple a replicated bucket) with its copy available on another cluster node.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...