Could not read event. Results may be incomplete

arpit_arora · ‎11-16-2017

Hello, I am seeing the following error while running Splunk search.

"idx=##INDEX NAME HERE## Could not read event: cd=0:33610. Results may be incomplete ! (logging only the first such error; enable DEBUG to see the rest)"

Any idea why it might be happening? How can I search more logging for this error.

jmantor · ‎11-26-2018

I'm seeing a similar error. How would one ID the bucket that is a problem? What component should I put into Debug ?

claudio_manig · ‎11-26-2018

Here's what i used-- kudos to splunk support for that one:
Ensure that you've got $SPLUNK_DB set in your environment (source $SPLUNK_HOME/bin/setSplunkEnv):

find $SPLUNK_DB -type f -wholename '/db/[dr]b_/rawdata/journal.gz' | perl -ne 'chomp;$d=$;$d=~s/journal.gz$//;if(-e "$d/slicesv2.dat"){@s=splunk cmd splunkd slices-dat-util --print \Q$d\E;if(${^CHILD_ERROR_NATIVE}){print STDERR "Error processing $d\n"}elsif($s[$#s]!~/\d+:(?:\s+\d+){2}\s+(\d+)/){print STDERR "Error parsing results from $d\n"}else{print "$d\n" if $1 >= ((stat "$")[7])}}'

cheers

C_HIEN · ‎12-07-2017

Try to stop the indexer and do a rebuild on the bucket. Therefore sometimes even if the rebuild seems successful the bucket is still corrupted (7.0.1)

jaho_splunk · ‎11-29-2017

I am also seeing this for the _internal index: [indexer] idx=_internal Could not read event: cd=(n/a). Results may be incomplete !

C_HIEN · ‎12-07-2017

The "Could not read event: cd=(n/a)" bug has been fixed in 7.0.1

Could not read event. Results may be incomplete

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...