Hi,
I am seeing this message whenever I am trying to repair _introspection and _internal indexes using splunk fsck.
Skip bucket='/data/splunk/var/lib/splunk/_introspection/db/hot_v1_69714'; directory does not match any of the expected formats: db___ db____ rb____
I see lots of these messages in the _internal index.
12-01-2016 03:44:18.342 -0800 INFO DatabaseDirectoryManager - idx=_introspection Writing a bucket manifest in hotWarmPath='/data/splunk/var/lib/splunk/_introspection/db', pendingBucketUpdates=0 . Reason='Buckets were rebuilt or tsidx-minified (bucket_count=1).'
I cleared all event data and restarted Splunk, didn't help. Along with this issue, intropsection and some splunkd log files are getting created with 1GB size after I delete them and restart Splunk, no log configuration issue.
Any help or point to fix will be highly appreciated.
Thanks!
First off-
Skip bucket='/data/splunk/var/lib/splunk/_introspection/db/hot_v1_69714'; directory does not match any of the expected formats: db___ db____ rb____
This message indicates that it is skipping your hot buckets, because they have not rolled to warm. This is expected behavior. You cant repair hot buckets as they are still open for writing and changes. Once a hot bucket is rolled, it is renamed to db_ or rb_.
This is expected behavior.