Getting this error - then Splunkd crashes..

edenzler · ‎08-01-2013

Error in 'databasePartitionPolicy': Failed to read 1 event(s) from rawdata in bucket '_internal~235~8AD95516-6DE5-4CCF-82AA-19FD5902414E'. Rawdata may be corrupt, see search.log

I poked around here, just want to be sure that whatever I do doesn't destroy my instance.

Any direction/suggestions would be greatly appreciated.

Cheers,

lukejadamec · ‎08-01-2013

It looks like you have a corrupt index (_internal).
You can run this command to check the index:

To check the metadata use this.

$SPLUNK/bin/splunk stop

$SPLUNK/bin/splunk cmd splunkd fsck --index _internal

To repair the metadata use this.

$SPLUNK/bin/splunk stop

$SPLUNK/bin/splunk cmd splunkd fsck --index _internal --mode metadata --repair

To rebuild the bucket use this.

$SPLUNK/bin/splunk stop

$SPLUNK/bin/splunk rebuild $SPLUNK/bin/splunk rebuild $SPLUNK/bin/splunk/var/lib/splunk/_internal/pathtobadbucket

Here is a link to a page that describes how to go about repairing indexes.
http://wiki.splunk.com/Check_and_Repair_Metadata

lmyrefelt · ‎02-11-2014

check also here for more / additional help / solution;

http://answers.splunk.com/answers/80882/corrupted-bucket-journal

Getting this error - then Splunkd crashes..

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!