Dear Support,
I have 2 messages on the Splunk web interface:
"skipped indexing of internal audit events will keep dropping events until indexer congestion is remedied. Check space and other issues that may caused indexer to block"
"Error in 'databasePartitionPolicy': Failure to read 1 event(s) from rawdata in bucket'_internal-1679-C10009BFA-1DE1-1A491-8895-E35E6F221168'. Rawdata maybe corrupted, see search.logs
I have tried to search under the following directory:
/opt/splunk/var/run/splunk/
where there are lots of directory with search.log.
I have tried to look at some of them and it seems to be ok.
Can someone from support advise on the above?
... View more