Forums: SplunkAdministration: Splunk daemon crashes after RPM upgrade from 4.0.2 to 4.0.4

Hi all,
I've updated from Splunk 4.0.2 to 4.0.4, and I now receive the following error every time the service starts. I'm on CentOS 5.3 32 bit. Here is the error from splunkd.log

ERROR HotDBManager - found overlapping buckets: id=2 [et,lt,span,flush,lru]=[-1,1243776563,7776000,2147483647,1254878818] and id=1 [et,lt,span,flush,lru]=[-1,1254106865,7776000,2147483647,1254878818]

Here's the error from the web interface

splunkd: /opt/splunk/p4/splunk/branches/madonna/src/pipeline/indexer/HotDBManager.cpp:305: bool bucket_compare(const DBBucket*, const DBBucket*): Assertion `0 && "your hot buckets are overlapping, see splunkd.log and call Splunk Support to help resolve"' failed. splunkd: /opt/splunk/p4/splunk/branches/madonna/src/pipeline/indexer/HotDBManager.cpp:305: bool bucket_compare(const DBBucket*, const DBBucket*): Assertion `0 && "your hot buckets are overlapping, see splunkd.log and call Splunk Support to help resolve"' failed.

Any Ideas how to fix

[Revised on Tue, 06 Oct 2009 18:35:29 -0700]

this issue?

thanks,
Todd

Damn, I thought this was fixed, open up a support case for sure. Do you have enterprise support?

What this means is that two of your hot buckets (probably the ones that end in hot_v1_1 and hot_v1_2 in $SPLUNK_HOME/var/lib/splunk/defaultdb/db/) have overlapping times in them. This shouldn't cause Splunk to crash, but alas.

Unfortunately not. I'm waiting on our sales rep to take our CC number to buy a license :). I've contacted sales though, so I should have a quote generated. Can you flick me an email at (My First Name from above post ) AT spidertracks.co.nz and I'll give you more details?

Go ahead and email support at splunk dot com with your details. It would also help if you ran ./splunk diag and attached it to your email. I will keep an eye out for it and get it to the proper folks.

we've seen this in the past when customers use a 32 bit binary for 64 bit machines, somewhere

there is already a bug opened for this: http://jira.splunk.com:8080/browse/SPL-26089

respond to vishal for further details

Thanks Vishal SSorkin - confirmed that the problem was a 32-bit binary of a 64-bit install.

I'm having this same issue. Was running Splunk 4.0.4 on Mac OS 10.5, and it was running in 64bit. Upgraded to 10.6 since the release notes for 4.0.5 said "Officially supports 10.6", and now it only runs in 32-bit. Support has told me this is what is supposed to happen, but now I can't get splunk running because I get:

11-10-2009 16:22:09.065 ERROR HotDBManager - found overlapping buckets: id=1 [et,lt,span,flush,lru]=[-1,1215512100,7776000,2147483647,1257898926] and id=0 [et,lt,span,flush,lru]=[-1,1207705488,7776000,2147483647,1257898926]

Everytime I start splunk. Same result with 4.0.6. This is a Mac Mini, 2009, 2.0ghz C2D.

One suggestion that I'd try (don't know if it will work, but it won't hurt since you're crashing anyway) is to create/edit your indexes.conf file and add:

[main]
maxDataSize = 10000

If it still doesn't work work, try

[main]
maxDataSize = 750

Again, I have no idea if these will work.