All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Hot to warm bucket issue- Why there is a deviation of rolling of data from hot to warm?

debjit_k
Path Finder
‎07-10-2022 05:40 AM

Hi all 

If my understanding is correct then data will roll from hot to warm after 90 days. I check the time on index.conf it is mentioned 90 days.

My concern

1. But for certain index I can see only see 56 days of data not 90 days.

2. A device from a index is last reporting on 30th of April now if I go and give a time frame of all time I will get no match or no data from that device. 

Can anyone guide me why there is a deviation of rolling of data from hot to warm. 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-10-2022 07:51 AM

Check your buckets' status. Use

| dbinspect index=<your_index>

search over "All Time" range.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-10-2022 06:13 AM

Rolling of data from hot to warm is governed by a few factors: time, size, and count.  Also, restarting an indexer will roll all hot buckets to warm.  To know why your buckets are rolling when they are we'll have to know their indexes.conf settings, how many buckets there are, and their sizes.

Whether a bucket is hot or warm has no bearing on whether data is available to search or not.  If data is only available for 56 days instead of 90 then 34 days of data moved from hot/warm/cold to frozen.

April 30th is more than 60 days ago.  If the data is only being retained for 56 days then April data probably had to be discarded to make room for newer data.  Again, we'd need to know indexer.conf settings and the nature of incoming data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

debjit_k
Path Finder
‎07-10-2022 06:29 AM

Hi @richgalloway ,

Yes i agreed with your pounts.

Total hot bucket is 3 i.e. Default 

Maxdatasize=auto I.e. 750MB by default I guess

We never restart the indexer so restarting would not be the case.

But from some device we can see 2gb of data per day is being indexing.

And one more concern I have saw few device logs which is not being reporting for 121 days.

Why is a difference and yes we have set  everything to default settings.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...