What do I do with buckets?
Contents
What do I do with buckets?
Buckets are portions of Splunk indexes. This article points you to a few resources for troubleshooting problems with buckets.
Might I be having issues with bucket rotation?
An unsuitable bucket rotation and retention policy can lead to:
- old events being deleted before they reach frozen buckets,
- hot and warm buckets filling up, stopping Splunk,
- old events not being archived correctly and thus still searchable when they shouldn't be, and
- poor searching or indexing performance.
Here's a Community Wiki article about bucket rotation and retention with specific recommendations and examples.
Recover metadata for a corrupt Splunk index directory
Contact Splunk Support for direction before using this command.
The recover-metadata command recovers missing or corrupt metadata associated with any Splunk index directory, sometimes also referred to as a bucket.
If your Splunk instance will not start, a possible cause is that one or more of your index buckets is corrupt in some way. Contact Support; they will help you determine if this is indeed the case and if so, which bucket(s) are affected. Then, run this command:
$SPLUNK_HOME/bin/splunk cmd recover-metadata <full path to the exact index directory/bucket>
Splunk returns a success or failure message.
Recovering and rebuilding buckets
The Managing Indexers and Clusters Manual has a thorough explanation of buckets. This section of "How Splunk stores indexes" tells you how to troubleshoot bucket problems, like recovering after a crash and rebuilding buckets. You'll probably want to read from the start of that page, though, to get some background first.
This documentation applies to the following versions of Splunk: 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.