I'm doing research on Splunk. I don't have direct access the product. I saw in a Splunk-provided presentation that "a bad bucket result returns the bucket number and slice number for a changed slice/bucket". Is this true? Here's the presentation:
https://conf.splunk.com/session/2015/conf2015_DBhagi_Splunk_SplunkEntWhatsNew_DataIntegrityControl.p...
Note: apparently karma is needed to post links. The presentation was by Dhruva Bhagi, Sr. Software Engineer at Splunk. The presentation is titled "Data Integrity Control".
I'd like to confirm this behavior. The check-integrity command and a snippet of sample output would be fantastic.
Thanks!
gary
Hello gary,
Yes it does tell you which slice is wrong with this kind of message:
Integrity check failed for bucket with path=/opt/splunk/XXXXXXXX/index/db/rb_1480438183_1478748435_95_D6AXXXXXXXXX, Reason=Hash of journal slice# 45718 did not match the expected value in l1Hashes_95_D6AXXXXXXXXX.dat
I haven't yet tried to understand which event inside the bucket is wrong based on the slice number and the slices size.
In our case we have an indexer cluster, when this message pops we replace the bucket (in this exemple a replicated bucket) with its copy available on another cluster node.