Hi,
I'm getting the following error on my indexers' splunkd.log. I have a RF=3 and SF=3 indexer clustering with 1 master and 1 search head.
ERROR S2SFileReceiver - event=statSize replicationType=eJournalReplication bid=test~26~89C0FF94-5EB0-410A-9B4D-0E17DBD7FB78 path=/opt/splunk/var/lib/splunk/test/db/26_89C0FF94-5EB0-410A-9B4D-0E17DBD7FB78/rawdata/journal.gz status=failed
Any thoughts?
Thanks,
it is most likely happening because of corrupted buckets, you can see them in cluster master webpage as well. to fix the issue you need to remove them. please see how to remove bucket in this post
My first thought: Splunk appears to be having difficulty replicating raw data between indexers.
Did clustering ever work, or is this a new setup?
Does this message appear on all indexers?
Is disk space available on all indexers?
Do you have constraints on index size or volume size?
Is the network connection between indexers good?
Is the replication port open between all indexers?
Is the replication port used ONLY for replication (it's not the splunkd port or the receiving port)?
Are all indexers configured identically?
How many indexers are in the cluster?
Did clustering ever work, or is this a new setup?
It is a working cluster environment. I've just experienced it I think thrice.
Does this message appear on all indexers?
No.
Is disk space available on all indexers?
Yes
Do you have constraints on index size or volume size?
None
Is the network connection between indexers good?
Yes
Is the replication port open between all indexers?
Yes
Is the replication port used ONLY for replication (it's not the splunkd port or the receiving port)?
Yes for replication only.
Are all indexers configured identically?
Yes
How many indexers are in the cluster?
There are 3 indexers in the cluster with same configuration.
Did you ever figure out what this was ?
@sympatiko: do you found the root cause?