Deployment Architecture

How do I extend/increase the all buckets size in Splunk by Time period (Days)?

Path Finder

Hi Everyone,

I have gone through some Splunk documents about buckets. But most of the time I have seen that everyone discusses how to increase/extend the size of any bucket by Size means either MB/GB, which is converted in mb format.

But my concern is I want to increase/extend my buckets by Days format (example : I want to store my last 60 days data in my hot bucket). I know that I have to convert the days to minutes value and then use that in abucket configuration. But I didn't find any proper example in Splunk.

Can anyone help me on this or any good documentation with a proper example? It'll be very helpful for me.


0 Karma


Thank you for asking, because you saved yourself from disaster.

NO, you do not want to store 60 days in a "hot" bucket.

Store hot and warm in the same place, and roll your hot buckets frequently. There is no sensible reason to attempt to keep a single bucket hot for any given length of time. Hot just means that it is the one current bucket of that type that is open for writing. Warm buckets are just as fast to access, possibly SLIGHTLY faster since they aren't being updated much. Every time that Splunk is restarted, or any of a number of other things happen, the hot buckets will roll to warm, and new hot buckets will be created.

You WANT this to happen.

A bucket cannot move from warm to cold until the last event in the bucket has aged sufficiently. (Or you run out of hot/warm space.) If your buckets are HUGE, then all those events have to roll from warm to cold at the same time. Splunk has no choice.

If, on the other hand, the buckets are reasonably sized, then Splunk can retire data at a reasonable rate.

Start with the planning calculator here to figure out your storage needs.

That will suggest for you a set of pre-built stanzas to start with. Change them only if you have a good reason.

0 Karma

Path Finder

Have you looked at the set a retirement and archiving policy documentation?

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...