Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I extend/increase the all buckets size in Splunk by Time period (Days)?

saibal6
Path Finder
‎09-26-2018 04:29 AM

Hi Everyone,

I have gone through some Splunk documents about buckets. But most of the time I have seen that everyone discusses how to increase/extend the size of any bucket by Size means either MB/GB, which is converted in mb format.

But my concern is I want to increase/extend my buckets by Days format (example : I want to store my last 60 days data in my hot bucket). I know that I have to convert the days to minutes value and then use that in abucket configuration. But I didn't find any proper example in Splunk.

Can anyone help me on this or any good documentation with a proper example? It'll be very helpful for me.

Thanks,
Saibal6

0 Karma
Reply

DalJeanis
Legend
‎09-26-2018 09:24 PM

Thank you for asking, because you saved yourself from disaster.

NO, you do not want to store 60 days in a "hot" bucket.

Store hot and warm in the same place, and roll your hot buckets frequently. There is no sensible reason to attempt to keep a single bucket hot for any given length of time. Hot just means that it is the one current bucket of that type that is open for writing. Warm buckets are just as fast to access, possibly SLIGHTLY faster since they aren't being updated much. Every time that Splunk is restarted, or any of a number of other things happen, the hot buckets will roll to warm, and new hot buckets will be created.

You WANT this to happen.

A bucket cannot move from warm to cold until the last event in the bucket has aged sufficiently. (Or you run out of hot/warm space.) If your buckets are HUGE, then all those events have to roll from warm to cold at the same time. Splunk has no choice.

If, on the other hand, the buckets are reasonably sized, then Splunk can retire data at a reasonable rate.

Start with the planning calculator here to figure out your storage needs. https://splunk-sizing.appspot.com/

That will suggest for you a set of pre-built stanzas to start with. Change them only if you have a good reason.

0 Karma
Reply

RHASQaL
Path Finder
‎09-26-2018 05:44 AM

Have you looked at the set a retirement and archiving policy documentation?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...