Re: How to fsck scan thaweddb folder?

goran_zivkovic · ‎12-28-2016

According to official Troubleshooting documentation fscan command has "--thawed" switch in splunk 6.5.1 version also.
(http://docs.splunk.com/Documentation/Splunk/6.5.1/Troubleshooting/CommandlinetoolsforusewithSupport)

I tried to use it as:
splunk fsck scan --all-buckets-one-index --index-name=my_index ----thawed
and got response:
_ Unrecognized argument "--thawed"_

Any idea how to scan all thawed bucket without use external script and single bucket selection?
(splunk fsck scan --one-bucket --bucket-path=/opt/splunk/var/lib/splunk/my_index/thaweddb/db_1234567890/

goran_zivkovic · ‎01-09-2017

Hi,

As I sad, I used ".. --index myindex" as described in help command, and got error "Unrecognized argument "--index""

goran_zivkovic · ‎12-29-2016

Hi!

Seems that there are some errors on support page:

root@myserver# /opt/splunk/bin/splunk fsck scan --all-buckets-one-index --index myindex --thawed
Unrecognized argument "--index"

Also:
root@myserver# /opt/splunk/bin/splunk fsck --help

USAGE

Supported modes are: scan, repair, clear-bloomfilter, check-integrity, generate-hash-files

:= --one-bucket|--all-buckets-one-index|--all-buckets-all-indexes
[--index-name=] [--bucket-name=] [--bucket-path=]
[--include-hots]
[--local-id=] [--origin-guid=]
[--min-ET=] [--max-LT=]

goran_zivkovic · ‎01-02-2017

Hi!

Little bash scripting can help:

for bucket_folder in ls -1 thawed_folder; do /opt/splunk/bin/splunk fsck scan --one-bucket --bucket-path=thawed_folder/$bucket_folder;done

🙂

ddrillic · ‎12-29-2016

Based on Command line tools for use with Support

We see -

Your --index-name=my_index doesn't look right...

How to fsck scan thaweddb folder?

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team