Trying to send the frozen buckets to a ECS Windows shared drive using CIFS mounted on Splunk Linux indexer. Permissions to Splunk service account on frozen is having full level modify access. Is there anything else we can troubleshooting for the below errors?
Looks like Splunk trying to rename the inflight folders on mount after copying and failing to do so. Buckets are getting copied to frozen location naming with inflight-db-*** which keeps retrying every few seconds
ERROR BucketMover - aborting move because failed to rename src='/data/frozen/index/name/inflight-db__** to dst='/data/frozen/index/name//db_**' (reason='Directory not empty')
ERROR BucketMover - aborting move because could not remove existing='/data/frozen/index/name/inflight-db__** (reason='Directory not empty')
Considerations regarding Common Internet File System (CIFS)/Server Message Block (SMB)
Splunk Enterprise supports the use of the CIFS/SMB protocol for the following purposes, on shares hosted by Windows hosts only:
Storage of cold or frozen Index buckets.
When you use a CIFS resource for storage, confirm that the resource has write permissions for the user that connects to the resource at both the file and share levels. If you use a third-party storage device, confirm that its implementation of CIFS is compatible with the implementation that your Splunk Enterprise instance runs as a client.
Do not index data to a mapped network drive on Windows (for example "Y:\" mapped to an external share.) Splunk Enterprise disables any index it encounters with a non-physical drive letter.
The key point to note is this: confirm that the resource has write permissions for the user that connects to the resource at both the file and share levels.