https://community.splunk.com/t5/Security/mxHotBuckets-in-Splunk-Indexes/m-p/500344#M15411 <P>Hi Guys,</P> <P>What does maxHotBuckets does,</P> <P>Let's say if I don't set it, its value is 3 then will my indexer have 3 hot buckets every time or will it have depending on amount of data arrival.</P> <P>For ex: if an index is ingesting 500MB per day(summary index on real time index search) then it just uses one hot bucket instead of 3?</P> <P>any advice - highly appreciated.</P> <P>Pramodh</P> Thu, 26 Mar 2020 00:23:42 GMT PramodhKumar 2020-03-26T00:23:42Z https://community.splunk.com/t5/Security/mxHotBuckets-in-Splunk-Indexes/m-p/500344#M15411 <P>Hi Guys,</P> <P>What does maxHotBuckets does,</P> <P>Let's say if I don't set it, its value is 3 then will my indexer have 3 hot buckets every time or will it have depending on amount of data arrival.</P> <P>For ex: if an index is ingesting 500MB per day(summary index on real time index search) then it just uses one hot bucket instead of 3?</P> <P>any advice - highly appreciated.</P> <P>Pramodh</P> Thu, 26 Mar 2020 00:23:42 GMT https://community.splunk.com/t5/Security/mxHotBuckets-in-Splunk-Indexes/m-p/500344#M15411 PramodhKumar 2020-03-26T00:23:42Z https://community.splunk.com/t5/Security/mxHotBuckets-in-Splunk-Indexes/m-p/500345#M15412 <P>according to <A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf">https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf</A></P> <PRE><CODE>maxHotBuckets = &lt;positive integer&gt; * Maximum number of hot buckets that can exist per index. * When 'maxHotBuckets' is exceeded, Splunk rolls the least recently used (LRU) hot bucket to warm. * Both normal hot buckets and quarantined hot buckets count towards this total. * This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll. * NOTE: Splunkd applies this limit per ingestion pipeline. For more information about multiple ingestion pipelines, see 'parallelIngestionPipelines' in the server.conf.spec file. * With N parallel ingestion pipelines, the maximum number of hot buckets across all of the ingestion pipelines is N * 'maxHotBuckets', but only 'maxHotBuckets' for each ingestion pipeline. Each ingestion pipeline independently writes to and manages up to 'maxHotBuckets' number of hot buckets. As a consequence of this, when multiple ingestion pipelines are used, there may be multiple (dependent on number of ingestion pipelines configured) hot buckets with events with overlapping time ranges. * The highest legal value is 4294967295 * Default: 3 </CODE></PRE> <P><EM>Let's say if I don't set it, its value is 3 then will my indexer have 3 hot buckets every time or will it have depending on amount of data arrival</EM> - every time <STRONG>max</STRONG> 3 hot buckets unless you have multiple ingestion pipelines</P> <P><EM>if an index is ingesting 500MB per day(summary index on real time index search) then it just uses one hot bucket instead of 3?</EM> - yes, usually you will see only one hot bucket </P> Thu, 26 Mar 2020 10:26:10 GMT https://community.splunk.com/t5/Security/mxHotBuckets-in-Splunk-Indexes/m-p/500345#M15412 PavelP 2020-03-26T10:26:10Z