Hi Everyone,
I have gone through some Splunk documents about buckets. But most of the time I have seen that everyone discusses how to increase/extend the size of any bucket by Size means either MB/GB, which is converted in mb format.
But my concern is I want to increase/extend my buckets by Days format (example : I want to store my last 60 days data in my hot bucket). I know that I have to convert the days to minutes value and then use that in abucket configuration. But I didn't find any proper example in Splunk.
Can anyone help me on this or any good documentation with a proper example? It'll be very helpful for me.
Thanks,
Saibal6
Thank you for asking, because you saved yourself from disaster.
NO, you do not want to store 60 days in a "hot" bucket.
Store hot and warm in the same place, and roll your hot buckets frequently. There is no sensible reason to attempt to keep a single bucket hot for any given length of time. Hot just means that it is the one current bucket of that type that is open for writing. Warm buckets are just as fast to access, possibly SLIGHTLY faster since they aren't being updated much. Every time that Splunk is restarted, or any of a number of other things happen, the hot buckets will roll to warm, and new hot buckets will be created.
You WANT this to happen.
A bucket cannot move from warm to cold until the last event in the bucket has aged sufficiently. (Or you run out of hot/warm space.) If your buckets are HUGE, then all those events have to roll from warm to cold at the same time. Splunk has no choice.
If, on the other hand, the buckets are reasonably sized, then Splunk can retire data at a reasonable rate.
Start with the planning calculator here to figure out your storage needs. https://splunk-sizing.appspot.com/
That will suggest for you a set of pre-built stanzas to start with. Change them only if you have a good reason.
Have you looked at the set a retirement and archiving policy documentation?