Knowledge Management

successful summary search but no data in the summary index

paranoid
Explorer

An hourly scheduled summary search finishes successfully:

12-05-2012 05:17:27.966 +0000 INFO SavedSplunker - savedsearch_id="nobody;XXX;Summary Gen", user="nobody", app="XXX", savedsearch_name="Summary Gen", status=success, digest_mode=1, scheduled_time=1354684620, dispatch_time=1354684644, run_time=3.788, result_count=18244, alert_actions="summary_index", sid="scheduler_nobody_ZW1haWxfbWV0cmljc19hcHA_RMD59f64bf9adfa139f1_at_1354684620_60d34ceed7aa64ec", suppressed=0, thread_id="AlertNotifierWorker-0"

search.log in the dispatch directory has this error
12-05-2012 05:17:27.748 ERROR SummaryIndexProcessor - Error moving file '/var/groupon/splunk/var/run/splunk/1354684647.1.tmp' to '/var/groupon/splunk/var/spool/splunk/RMD59f64bf9adfa139f1_1502598233.stash_new'.

As a result the data doesn't arrive in the summary index. Also interesting that the scheduled search is considered successful

What does this error mean? There is plenty of free disk space.

Tags (1)
0 Karma

dart
Splunk Employee
Splunk Employee

The error means that the results file /var/groupon/splunk/var/run/splunk/1354684647.1.tmp could not be moved into the spool directory /var/groupon/splunk/var/spool/splunk which is where it would be picked up to be indexed, which has a sinkhole (delete after indexing) input set up.

Double check the permissions of the folder /var/groupon/splunk/var/spool/splunk. Is it on the same volume as the rest of Splunk or a different one? Are there any files in /var/groupon/splunk/var/spool/splunk?

0 Karma

paranoid
Explorer

The scheduled search works most of the time, so it's not permissions. /var/groupon/splunk/var/spool/splunk has quite a few files, will a name collision explain this?

And then I guess the next question is, why are there so many files there? Files should only live there for the duration of indexing. Some files are fra mid November and we are early December now.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...