https://community.splunk.com/t5/Splunk-Search/Question-regarding-small-buckets-warning/m-p/516853#M145289 Yes, I suppose so. And totally agree with you that there shouldn't be any warnings on logs if it's possible to avoid. Sooner or later those usually changes to errors <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><BR />r. Ismo Sat, 29 Aug 2020 12:01:22 GMT isoutamo 2020-08-29T12:01:22Z https://community.splunk.com/t5/Splunk-Search/Question-regarding-small-buckets-warning/m-p/516049#M144940 <P>So I'm getting the notice regarding small buckets on an index, 100% small buckets on one particular index. Now this index is a summary index that only gets a small volume of new records every day. So it makes sense that the buckets never get large before they're rolled to warm.</P><P>Now for various reason we want to keep this data separate from other indexes, mainly this summary data will live forever whereas&nbsp; other indexes are set for a limited retention period.</P><P>The index is tiny, current size is 8MB and it's holding summary info for the past 8 months, 7 small buckets so far this year.</P><P>I have two questions:<BR />1) since this is a small index do I have to worry about it only having small buckets?<BR />2) Assuming having just small buckets in this particular index doesn't cause any major performance problem for the system overall how do I turn off the alert for this one index?</P><P>&nbsp;</P> Tue, 25 Aug 2020 14:37:32 GMT https://community.splunk.com/t5/Splunk-Search/Question-regarding-small-buckets-warning/m-p/516049#M144940 ernest825 2020-08-25T14:37:32Z https://community.splunk.com/t5/Splunk-Search/Question-regarding-small-buckets-warning/m-p/516052#M144941 <P>Hi</P><P>I'm not suppose that this is a issue. You could just ignore those warnings.</P><P>If you want you maybe could try to extend the&nbsp;</P><PRE>maxHotSpanSecs</PRE><P>but as it's default is 90 days then it's quite obvious that reason for rolling those buckets from hot to warm is something else.</P><P>r. Ismo&nbsp;</P> Tue, 25 Aug 2020 14:55:16 GMT https://community.splunk.com/t5/Splunk-Search/Question-regarding-small-buckets-warning/m-p/516052#M144941 isoutamo 2020-08-25T14:55:16Z https://community.splunk.com/t5/Splunk-Search/Question-regarding-small-buckets-warning/m-p/516852#M145288 <P>Thanks for your reply <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>.</P><P>Ignoring the warning is what we've been doing until now. It's not something I like doing because sooner or later it may result in some other warning being ignored. Looks like in this case we have no choice.</P><P>One thing that I didn't mention in my original post was that we've been using the fill_summary_index.py script to fill in gaps in the summary index and I think that might have created extra buckets resulting eventually in more buckets being rolled after 90 days.&nbsp; And of course there's restarts every so often for OS patching, etc. I doubt that the buckets would become anything other than small even if we doubled maxHotSpanSecs.</P> Sat, 29 Aug 2020 11:33:50 GMT https://community.splunk.com/t5/Splunk-Search/Question-regarding-small-buckets-warning/m-p/516852#M145288 ernest825 2020-08-29T11:33:50Z https://community.splunk.com/t5/Splunk-Search/Question-regarding-small-buckets-warning/m-p/516853#M145289 Yes, I suppose so. And totally agree with you that there shouldn't be any warnings on logs if it's possible to avoid. Sooner or later those usually changes to errors <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><BR />r. Ismo Sat, 29 Aug 2020 12:01:22 GMT https://community.splunk.com/t5/Splunk-Search/Question-regarding-small-buckets-warning/m-p/516853#M145289 isoutamo 2020-08-29T12:01:22Z