Re: Indexer Cluster: Why am I seeing "event=replic...

vaianna · ‎10-02-2015

Hi,

I have a Splunk indexer cluster with these parameters:
1 Master node
1 Search Head node
2 Indexers
2 Forwarders
RF = 2, SF = 2, both don't respected

For several days, and in this moment, with a real-time search on _internal index, I see on the first Indexer many sequences of these type of errors. The other indexer doesn't have the same problem.

ERROR TcpInputProc - event=replicationData status=failed err=
ERROR S2SFileReceiver - event=rename replicationType=eJournalReplication  status=failed err=Rename failed in 1 attempt(s) made between  status code: 17

Which can be the cause of this behavior?

Thanks,

Prakhar_shukla · ‎04-10-2017

it is most likely happening because of corrupted buckets, you can see them in cluster master webpage as well. to fix the issue you need to remove them. please see how to remove bucket in this post

https://answers.splunk.com/answers/184484/what-should-i-do-with-bad-buckets-in-a-clustered-e.html?so...

vasanthmss · ‎04-19-2016

@Vaianna: Check this post https://answers.splunk.com/answers/295363/why-am-i-getting-error-s2sfilereceiver-eventstatsi.html

There are few of the checklist available to validate. If you have found the root cause share it..

V

Indexer Cluster: Why am I seeing "event=replicationData... event=rename replicationType=eJournalReplication status=failed" errors on one indexer?

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!