I am using Splunk 6.6.2
When I ran search in Splunk Web for index for more than 30 days timeline "index="indextest" , I get this error:
JournalSliceDirectory: Cannot seek to rawdata offset 0, path="/opt/splunk/var/lib/splunk/indextest/db/db_1502353482_1504459082_1/rawdata'
I have gone through some answers posted in Splunk and tried few fsck commands to repair
i ran the fsck scan command identified the corrupted buckets:
Eg:
splunk scan --all-buckets-all-indexes
output in unix:
Operating on: idx=indextest bucket='/opt/splunk/var/lib//splunk/indextest/db/db_1502353482_1504459082_1/rawdata'
JournalSliceDirectory: Cannot seek to rawdata offset 0, path="/opt/splunk/var/li b/splunk/indextest/db/db_1502353482_1504459082_1/rawdata"
Corruption: corrupt slicesv2.dat or slices.dat
Then tried to repair them:
splunk repair --all-buckets-all-indexes
Eg:
splunk fsck repair --one-bucket --index-name=indextest--bucket-name=db_1502353482_1504459082_1 --try-warm-then-cold
output in unix:
Operating on: idx=indextest bucket='/opt/splunk/var/lib/splunk/indextest/db/db_1502353482_1504459082_1/'
(entire bucket) Rebuild for bucket='/opt/splunk/var/lib/splunk/indextest/db/db_1502353482_1504459082_1' took 64.23 milliseconds
Repair entire bucket, index=indextest, tryWarmThenCold=1, bucket=/opt/splunk/var/lib/splunk/indextest/db/db_1502353482_1504459082_1, exists=1, localrc=7, failReason=No bloomfilter in finalDir='/opt/splunk/var/lib/splunk/indextest/db/db_1502353482_1504459082_1'
The issue is not resolved.. Then
I even tried disabling the index
/opt/splunk/bin/splunk disable index name_of_your_index
I started splunk up and enabled the index from the web gui and restarted splunk
Still the issue is not resolved.
Any help and hints appreciated
... View more