I am using Splunk 6.6.2
When I ran search in Splunk Web for index for more than 30 days timeline "index="indextest" , I get this error:
![alt text][1]
**JournalSliceDirectory: Cannot seek to rawdata offset 0, path="/opt/splunk/var/lib/splunk/indextest/db/db_1502353482_1504459082_1/rawdata'**
I have gone through some answers posted in Splunk and tried few fsck commands to repair
i ran the fsck scan command identified the corrupted buckets:
**Eg:**
*splunk scan --all-buckets-all-indexes*
**output in unix:**
Operating on: idx=indextest bucket='/opt/splunk/var/lib//splunk/indextest/db/db_1502353482_1504459082_1/rawdata'
JournalSliceDirectory: Cannot seek to rawdata offset 0, path="/opt/splunk/var/li b/splunk/indextest/db/db_1502353482_1504459082_1/rawdata"
Corruption: corrupt slicesv2.dat or slices.dat
Then tried to repair them:
*splunk repair --all-buckets-all-indexes*
**Eg:**
*splunk fsck repair --one-bucket --index-name=indextest--bucket-name=db_1502353482_1504459082_1 --try-warm-then-cold*
**output in unix:**
Operating on: idx=indextest bucket='/opt/splunk/var/lib/splunk/indextest/db/db_1502353482_1504459082_1/'
(entire bucket) Rebuild for bucket='/opt/splunk/var/lib/splunk/indextest/db/db_1502353482_1504459082_1' took 64.23 milliseconds
Repair entire bucket, index=indextest, tryWarmThenCold=1, bucket=/opt/splunk/var/lib/splunk/indextest/db/db_1502353482_1504459082_1, exists=1, localrc=7, failReason=No bloomfilter in finalDir='/opt/splunk/var/lib/splunk/indextest/db/db_1502353482_1504459082_1'
The issue is not resolved.. Then
I even tried disabling the index
*/opt/splunk/bin/splunk disable index name_of_your_index*
I started splunk up and enabled the index from the web gui and restarted splunk
Still the issue is not resolved.
Any help and hints appreciated
[1]: /storage/temp/217688-error2.png
↧