https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411848#M72907 <P>In regard to your settings:</P> <PRE><CODE> homePath = volume:home/indexname/db coldPath = volume:SAN/indexname/colddb thawedPath = $SPLUNK_THAW_VOL/indexname/thaweddb </CODE></PRE> <P>From the <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Indexesconf" target="_blank">indexes.conf documentation</A>:</P> <BLOCKQUOTE> <P>thawedPath must be specified, and cannot use volume: syntax<BR /> choose a location convenient for reconstitition from archive goals<BR /> For many sites, this may never be used.</P> </BLOCKQUOTE> <P>From your settings:</P> <PRE><CODE> # the max settings are copied from main's default max settings maxMemMB = 20 </CODE></PRE> <P>From the <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Indexesconf" target="_blank">indexes.conf documentation</A> this defaults to 5 in the newest version:</P> <BLOCKQUOTE> <P>IMPORTANT: Calculate this number<BR /> carefully. splunkd will crash if you<BR /> set this number higher than the<BR /> amount of memory available. The<BR /> default is recommended for all<BR /> environments.</P> </BLOCKQUOTE> <P>Finally:</P> <PRE><CODE> homePath.maxDataSizeMB = 409600 coldPath.maxDataSizeMB = 1536000 maxTotalDataSizeMB = 1945600 frozenTimePeriodInSecs = 7776000 </CODE></PRE> <P>All of these can effect the cold to frozen decision, the once either the homePath size limit is reached <EM>or</EM> maxWarmDBCount is reached <EM>or</EM> you reach the hot volume limit (in your example volume:home) you will roll to cold.<BR /> From there either 1536000MB can be reached <EM>or</EM> frozen time period in seconds <EM>or</EM> cold volume (volume:SAN) in your example, can result buckets rolling to frozen.<BR /> Note this all applies <EM>per</EM> indexer.</P> <P>solarboyz1 provided some example searches for this. Also personally I wouldn't use maxHotIdleSecs or tweak your maxHotBuckets settings unless you know what you are doing.<BR /> Finally, auto_high_volume is designed for higher volume indexes FYI</P> <P>FYI within the <A href="https://splunkbase.splunk.com/app/3796/" target="_blank">Alerts for Splunk Admins</A> app I have two alerts that relate to this scenario:<BR /> IndexerLevel - Buckets are been frozen due to index sizing, effectively:</P> <PRE><CODE>index=_internal `indexerhosts` sourcetype=splunkd "BucketMover - will attempt to freeze" NOT "because frozenTimePeriodInSecs=" </CODE></PRE> <P>And IndexerLevel - Cold data location approaching size limits which I will not paste here.<BR /> Application <A href="https://splunkbase.splunk.com/app/3796/" target="_blank">here</A> or <A href="https://github.com/gjanders/SplunkAdmins/blob/master/default/savedsearches.conf" target="_blank">github</A> if you just want the searches</P> Tue, 29 Sep 2020 19:35:10 GMT gjanders 2020-09-29T19:35:10Z https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411843#M72902 <PRE><CODE>repFactor = auto homePath = volume:home/indexname/db coldPath = volume:SAN/indexname/colddb thawedPath = $SPLUNK_THAW_VOL/indexname/thaweddb # the max settings are copied from main's default max settings maxMemMB = 20 maxConcurrentOptimizes = 6 maxHotIdleSecs = 86400 maxHotBuckets = 10 maxDataSize = auto_high_volume homePath.maxDataSizeMB = 409600 coldPath.maxDataSizeMB = 1536000 maxTotalDataSizeMB = 1945600 # maxTotalDataSizeMB = ? # keep logs for 90 days frozenTimePeriodInSecs = 7776000 </CODE></PRE> <P>The logs seem to be rolling from cold to frozen at around 60 days, all but one or two source types (so when I search back to between 60 and 90 days I only see one or two sourcetypes when there should exist over 20).</P> <P>The coldpath limit isn't even close to being hit on this index. I implemented this index configuration at the beginning of the year so it should be keeping the data for 90 day periods, yet it's throwing them out before. Are there other areas that can trigger a rolling from cold to frozen? We have plenty of space on the drives as well.</P> Thu, 17 May 2018 20:35:00 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411843#M72902 briancronrath 2018-05-17T20:35:00Z https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411844#M72903 <P>There are multiple factors to why a bucket rolls.<BR /> Run the following search: </P> <PRE><CODE>index=_* component=BucketMover "will attempt to freeze" </CODE></PRE> <P>You should see event similar to:</P> <PRE><CODE>07-24-2014 01:30:51.609 +0200 INFO BucketMover - will attempt to freeze: candidate='/opt/SP/apps/splunk/splunk-6.0.1/var/lib/splunk/rest/db/db_1392823223_1392819715_1' **because frozenTimePeriodInSecs=2419200 exceeds difference between now=1406158251 and latest=1392823223** </CODE></PRE> <P>These events show the reason the bucket were rolled. That would help pinpoint the root cause. </P> Thu, 17 May 2018 21:16:01 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411844#M72903 solarboyz1 2018-05-17T21:16:01Z https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411845#M72904 <P>Thank you, this is definitely helpful! Although, one thing that still isn't adding up, is that if I search just for the index in question, the only reason it ever gives is that the frozenTimePeriodInSecs=7776000 is exceeded by the difference between now=number and latest=number</P> <P>I don't suppose there is any other reason it might be getting evicted?</P> Fri, 18 May 2018 16:07:14 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411845#M72904 briancronrath 2018-05-18T16:07:14Z https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411846#M72905 <P>The other common reasons I am aware of are when the max index size is hit or max volume size. </P> Fri, 18 May 2018 17:48:47 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411846#M72905 solarboyz1 2018-05-18T17:48:47Z https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411847#M72906 <P>maxTotalDataSizeMB = 1945600</P> <P>This indicates the total size of the index. If you are only seeing the issue on a few indexes, I would verify these settings. </P> Fri, 18 May 2018 18:34:01 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411847#M72906 solarboyz1 2018-05-18T18:34:01Z https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411848#M72907 <P>In regard to your settings:</P> <PRE><CODE> homePath = volume:home/indexname/db coldPath = volume:SAN/indexname/colddb thawedPath = $SPLUNK_THAW_VOL/indexname/thaweddb </CODE></PRE> <P>From the <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Indexesconf" target="_blank">indexes.conf documentation</A>:</P> <BLOCKQUOTE> <P>thawedPath must be specified, and cannot use volume: syntax<BR /> choose a location convenient for reconstitition from archive goals<BR /> For many sites, this may never be used.</P> </BLOCKQUOTE> <P>From your settings:</P> <PRE><CODE> # the max settings are copied from main's default max settings maxMemMB = 20 </CODE></PRE> <P>From the <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Indexesconf" target="_blank">indexes.conf documentation</A> this defaults to 5 in the newest version:</P> <BLOCKQUOTE> <P>IMPORTANT: Calculate this number<BR /> carefully. splunkd will crash if you<BR /> set this number higher than the<BR /> amount of memory available. The<BR /> default is recommended for all<BR /> environments.</P> </BLOCKQUOTE> <P>Finally:</P> <PRE><CODE> homePath.maxDataSizeMB = 409600 coldPath.maxDataSizeMB = 1536000 maxTotalDataSizeMB = 1945600 frozenTimePeriodInSecs = 7776000 </CODE></PRE> <P>All of these can effect the cold to frozen decision, the once either the homePath size limit is reached <EM>or</EM> maxWarmDBCount is reached <EM>or</EM> you reach the hot volume limit (in your example volume:home) you will roll to cold.<BR /> From there either 1536000MB can be reached <EM>or</EM> frozen time period in seconds <EM>or</EM> cold volume (volume:SAN) in your example, can result buckets rolling to frozen.<BR /> Note this all applies <EM>per</EM> indexer.</P> <P>solarboyz1 provided some example searches for this. Also personally I wouldn't use maxHotIdleSecs or tweak your maxHotBuckets settings unless you know what you are doing.<BR /> Finally, auto_high_volume is designed for higher volume indexes FYI</P> <P>FYI within the <A href="https://splunkbase.splunk.com/app/3796/" target="_blank">Alerts for Splunk Admins</A> app I have two alerts that relate to this scenario:<BR /> IndexerLevel - Buckets are been frozen due to index sizing, effectively:</P> <PRE><CODE>index=_internal `indexerhosts` sourcetype=splunkd "BucketMover - will attempt to freeze" NOT "because frozenTimePeriodInSecs=" </CODE></PRE> <P>And IndexerLevel - Cold data location approaching size limits which I will not paste here.<BR /> Application <A href="https://splunkbase.splunk.com/app/3796/" target="_blank">here</A> or <A href="https://github.com/gjanders/SplunkAdmins/blob/master/default/savedsearches.conf" target="_blank">github</A> if you just want the searches</P> Tue, 29 Sep 2020 19:35:10 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411848#M72907 gjanders 2020-09-29T19:35:10Z https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411849#M72908 <P>so here is something I just thought about, it seems to be constantly saying it is evicting due to the frozenTimePeriod, yet none of the data seems to ever come close to that period, but I did find a sourcetype every now and then throws in super old data. Could it be that just the one bit of old data causes the entire bucket to get evicted even if the majority of the data in it is not past the frozen time period?</P> Wed, 23 May 2018 16:34:12 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411849#M72908 briancronrath 2018-05-23T16:34:12Z https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411850#M72909 <P>So, in the frozen bucket events:</P> <PRE><CODE> 07-24-2014 01:30:51.609 +0200 INFO BucketMover - will attempt to freeze: candidate='/opt/SP/apps/splunk/splunk-6.0.1/var/lib/splunk/rest/db/db_1392823223_1392819715_1'because frozenTimePeriodInSecs=2419200 exceeds difference between now=1406158251 and latest=1392823223' </CODE></PRE> <P>The latest time should be the timestamp of the earliest event in the bucket. Are you receiving freeze events where now - latest &lt; 7776000 ?</P> Wed, 23 May 2018 17:45:25 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411850#M72909 solarboyz1 2018-05-23T17:45:25Z https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411851#M72910 <P>@briancronrath yes, but only if you rolling based on an index / volume size limit rather than the time based limit (frozenTimePeriodInSecs)</P> <P>Size-based rolling is oldest bucket first which means the <EM>oldest</EM> piece of data within a bucket determines when to roll.</P> <P>frozenTimePeriodInSecs would ensure <EM>all</EM> data was past the required date (even the newest data in the bucket) before rolling the entire bucket.</P> Wed, 23 May 2018 21:39:06 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-in-an-index-getting-rolled-cold-to-frozen-before-size-or/m-p/411851#M72910 gjanders 2018-05-23T21:39:06Z