https://community.splunk.com/t5/Getting-Data-In/Why-are-we-not-seeing-expected-behavior-for-maxTotalDataSizeMB/m-p/235570#M45844 <P>I'm seeing a sudden spike in data coming from our firewalls (edge and internal). On average an increase of 202% daily. It's caused a 42% surge in my license use. While we're chasing that down, I wanted to make sure that I'm not shipping things to frozen prematurely.</P> <P>That said: Indexes.conf snippet for networks</P> <PRE><CODE>[networks] homePath = volume:hot/networks/db coldPath = volume:cold/networks/colddb thawedPath = $SPLUNK_DB/networks/thaweddb maxTotalDataSizeMB = 2541818 homePath.maxDataSizeMB = 1694630 coldPath.maxDataSizeMB = 847188 #explicit path to frozen directory coldToFrozenDir = /splunkdatafrozen/networks </CODE></PRE> <P>So I would expect a total footprint of hot/warm/cold to be 2.54 TB. </P> <P>My actual footprint seems to be....</P> <PRE><CODE>:/splunkdatahot # du -hs networks/ 213G networks/ :/splunkdatacold # du -hs networks/ 828G networks/ </CODE></PRE> <P>For a total of 1041 GB. </P> <P>What's frosting my cookies the wrong flavor is the face that my homePath.maxDataSizeMB is set to 1.694 TB, but hot/warm only has 213G, whereas coldPath.maxDataSizeMB is 847 GB. Cold use appears to be close to that, but Hot/Warm isn't close to that and the footprint is NOT increasing in hot/warm day to day.</P> <P>So what is it in indexes.conf config for this index we are doing wrong? </P> <P>Please note that while we're sorting out where we're actually going to put frozen, my hot/warm is larger than cold, so we had been trying to shoot for around a 70/30 split between hot/cold. (I know that's inverted but I have a large amount of SSD here - whereas we don't have SAN for cold or frozen - yet)</P> <P>Any insight appreciated.</P> <P>-The Admiral.</P> Thu, 06 Oct 2016 16:11:58 GMT Admiral_Marith 2016-10-06T16:11:58Z https://community.splunk.com/t5/Getting-Data-In/Why-are-we-not-seeing-expected-behavior-for-maxTotalDataSizeMB/m-p/235570#M45844 <P>I'm seeing a sudden spike in data coming from our firewalls (edge and internal). On average an increase of 202% daily. It's caused a 42% surge in my license use. While we're chasing that down, I wanted to make sure that I'm not shipping things to frozen prematurely.</P> <P>That said: Indexes.conf snippet for networks</P> <PRE><CODE>[networks] homePath = volume:hot/networks/db coldPath = volume:cold/networks/colddb thawedPath = $SPLUNK_DB/networks/thaweddb maxTotalDataSizeMB = 2541818 homePath.maxDataSizeMB = 1694630 coldPath.maxDataSizeMB = 847188 #explicit path to frozen directory coldToFrozenDir = /splunkdatafrozen/networks </CODE></PRE> <P>So I would expect a total footprint of hot/warm/cold to be 2.54 TB. </P> <P>My actual footprint seems to be....</P> <PRE><CODE>:/splunkdatahot # du -hs networks/ 213G networks/ :/splunkdatacold # du -hs networks/ 828G networks/ </CODE></PRE> <P>For a total of 1041 GB. </P> <P>What's frosting my cookies the wrong flavor is the face that my homePath.maxDataSizeMB is set to 1.694 TB, but hot/warm only has 213G, whereas coldPath.maxDataSizeMB is 847 GB. Cold use appears to be close to that, but Hot/Warm isn't close to that and the footprint is NOT increasing in hot/warm day to day.</P> <P>So what is it in indexes.conf config for this index we are doing wrong? </P> <P>Please note that while we're sorting out where we're actually going to put frozen, my hot/warm is larger than cold, so we had been trying to shoot for around a 70/30 split between hot/cold. (I know that's inverted but I have a large amount of SSD here - whereas we don't have SAN for cold or frozen - yet)</P> <P>Any insight appreciated.</P> <P>-The Admiral.</P> Thu, 06 Oct 2016 16:11:58 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-we-not-seeing-expected-behavior-for-maxTotalDataSizeMB/m-p/235570#M45844 Admiral_Marith 2016-10-06T16:11:58Z https://community.splunk.com/t5/Getting-Data-In/Why-are-we-not-seeing-expected-behavior-for-maxTotalDataSizeMB/m-p/235571#M45845 <P>I think this may be your answer, from indexes.conf.spec</P> <PRE><CODE>maxWarmDBCount = &lt;nonnegative integer&gt; * The maximum number of warm buckets. * Warm buckets are located in the &lt;homePath&gt; for the index. * If set to zero, Splunk will not retain any warm buckets (will roll them to cold as soon as it can) * Highest legal value is 4294967295 * Defaults to 300. </CODE></PRE> <P>So when your warm bucket count hits 301, the oldest warm bucket is moved to cold - regardless of how much space you have.</P> <P>Also the maximum size parameter only applies to hot, warm and cold buckets. Frozen and thawed buckets do not count, and Splunk will not remove them.</P> Thu, 06 Oct 2016 21:32:22 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-we-not-seeing-expected-behavior-for-maxTotalDataSizeMB/m-p/235571#M45845 lguinn2 2016-10-06T21:32:22Z https://community.splunk.com/t5/Getting-Data-In/Why-are-we-not-seeing-expected-behavior-for-maxTotalDataSizeMB/m-p/235572#M45846 <P>So if I understand this correctly. that limit is on a per index basis, so if one sets it globally in [default] for the indexes.conf to say 1200, that's 1200 warm buckets per index.</P> Fri, 28 Oct 2016 16:27:52 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-we-not-seeing-expected-behavior-for-maxTotalDataSizeMB/m-p/235572#M45846 Admiral_Marith 2016-10-28T16:27:52Z https://community.splunk.com/t5/Getting-Data-In/Why-are-we-not-seeing-expected-behavior-for-maxTotalDataSizeMB/m-p/235573#M45847 <P>Yes, this limit is per index. You can set it globally, or you can set it for each index differently.</P> Sun, 30 Oct 2016 06:34:49 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-we-not-seeing-expected-behavior-for-maxTotalDataSizeMB/m-p/235573#M45847 lguinn2 2016-10-30T06:34:49Z