https://community.splunk.com/t5/Getting-Data-In/maxHotSpanSecs-not-rolling-hot-buckets/m-p/360473#M65748 <P>how long have you had these settings in place? You mention one bucket has data from 2016/04/01 ~2017/02/08.... how about all the buckets since you made this change? </P> <P>Splunk will not go back in time and readjust buckets to your new boundaries. That is to say, if you didnt have these settings before, the buckets would have contained upwards of 10GB / 90 days whichever is greater. Also, fringe events can be indexed into the same bucket when they arrive out of order. </P> <P>For example, if I have cold and warm buckets from 2015 &amp; 2016, and a hot bucket for 2017... and events come in with timestamps from 2014... the 2014 events will be dropped into the hot bucket. Now this hot bucket will show it has data from 2014 - 2017. In new and large environments, this happens all the time as you on-board new data sources. </P> Tue, 09 May 2017 04:47:08 GMT jkat54 2017-05-09T04:47:08Z https://community.splunk.com/t5/Getting-Data-In/maxHotSpanSecs-not-rolling-hot-buckets/m-p/360470#M65745 <P>I use "maxHotSpanSecs" to cut the size of each bucket received.<BR /> Only join "maxHotSpanSecs = 2592000" (30d) in test of local/indexes.conf<BR /> (index=test)<BR /> Execution results: Each bucket is greater than 30 days . EX: one bucket :2016/04/01 ~2017/02/08<BR /> Do not know why the cutting is unsuccessful?<BR /> TKS.</P> Wed, 03 May 2017 06:09:36 GMT https://community.splunk.com/t5/Getting-Data-In/maxHotSpanSecs-not-rolling-hot-buckets/m-p/360470#M65745 jek01 2017-05-03T06:09:36Z https://community.splunk.com/t5/Getting-Data-In/maxHotSpanSecs-not-rolling-hot-buckets/m-p/360471#M65746 <P>[test]<BR /> coldPath = $SPLUNK_DB/test/colddb<BR /> enableDataIntegrityControl = 0<BR /> enableTsidxReduction = 0<BR /> homePath = $SPLUNK_DB/test/db<BR /> maxTotalDataSizeMB = 512000<BR /> thawedPath = $SPLUNK_DB/test/thaweddb<BR /> maxHotSpanSecs = 259200<BR /> maxWarmDBCount = 500</P> <P>[test_1]<BR /> coldPath = $SPLUNK_DB/test_1/colddb<BR /> enableDataIntegrityControl = 0<BR /> enableTsidxReduction = 0<BR /> homePath = $SPLUNK_DB/test_1/db<BR /> maxTotalDataSizeMB = 512000<BR /> thawedPath = $SPLUNK_DB/test_1/thaweddb<BR /> maxHotSpanSecs = 259200<BR /> maxHotBuckets = 1<BR /> maxWarmDBCount = 500</P> Tue, 29 Sep 2020 13:59:24 GMT https://community.splunk.com/t5/Getting-Data-In/maxHotSpanSecs-not-rolling-hot-buckets/m-p/360471#M65746 jek01 2020-09-29T13:59:24Z https://community.splunk.com/t5/Getting-Data-In/maxHotSpanSecs-not-rolling-hot-buckets/m-p/360472#M65747 <P>In the second stanza you set <CODE>maxHotBuckets=1</CODE> which will do this:</P> <PRE><CODE> NOTE: If you set maxHotBuckets to 1, Splunk attempts to send all events to the single hot bucket and `maxHotSpanSecs` will not be enforced </CODE></PRE> Tue, 09 May 2017 02:43:56 GMT https://community.splunk.com/t5/Getting-Data-In/maxHotSpanSecs-not-rolling-hot-buckets/m-p/360472#M65747 MuS 2017-05-09T02:43:56Z https://community.splunk.com/t5/Getting-Data-In/maxHotSpanSecs-not-rolling-hot-buckets/m-p/360473#M65748 <P>how long have you had these settings in place? You mention one bucket has data from 2016/04/01 ~2017/02/08.... how about all the buckets since you made this change? </P> <P>Splunk will not go back in time and readjust buckets to your new boundaries. That is to say, if you didnt have these settings before, the buckets would have contained upwards of 10GB / 90 days whichever is greater. Also, fringe events can be indexed into the same bucket when they arrive out of order. </P> <P>For example, if I have cold and warm buckets from 2015 &amp; 2016, and a hot bucket for 2017... and events come in with timestamps from 2014... the 2014 events will be dropped into the hot bucket. Now this hot bucket will show it has data from 2014 - 2017. In new and large environments, this happens all the time as you on-board new data sources. </P> Tue, 09 May 2017 04:47:08 GMT https://community.splunk.com/t5/Getting-Data-In/maxHotSpanSecs-not-rolling-hot-buckets/m-p/360473#M65748 jkat54 2017-05-09T04:47:08Z