Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are we seeing .dat files created in the cold to frozen path?

athorat
Communicator
‎08-20-2016 11:51 PM

alt text

We started seeing .dat files for all the indexes since 4th of august at the following path: /opt/splunk/var/lib/splunk
This is where the cold to frozen is pointed to.
There are no changes or upgrades on the server. Is anything wrong with the configurations?

Preview file
1 KB
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-21-2016 06:40 AM

These .dat files hold the next bucket ID to be created for that index, and they aren't influenced by homePath etc. settings in indexes.conf... mostly harmless.

Reply

ddrillic
Ultra Champion
‎08-21-2016 06:33 AM

It seems to be just fine as I see these tiny files as well and they hold numbers. _thefishbucket.dat holds a zero in my case, maybe the number of buckets.. ?

We can see an old refrefence (from 04/03/15) to these *.dat files at Why do I only see the current day's results in searches and should all files in /opt/splunk/var/lib/...

It says -

-- I'm a total splunk newbie, and I inherited a splunk server running on Red Hat Enterprise Linux 5. The other day, I did a reboot of the system. Since then, I can only view the current day's data when I run a search. The version of splunk is 5.0.9. Build 213964 Platform linux x86_64. The splunkd service is running as root, but when I look in /opt/splunk/var/lib/splunk, I see that all the files except for the ones ending in .dat are owned by splunk:splunk. The .dat files are owned by root:root. Should they all be owned by root?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...