Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How does frozenTimePeriodInSecs and maxWarmDBCount perform

rickymckenzie10
Explorer
‎02-27-2024 04:36 PM

Currently, each of my indexes is set to a specific and own frozenTimePeriodInSecs, but I am noticing they are not rolling over to cold when the frozenTimePeriodInSecs value is set.

Data Age (keeps growing) vs Frozen Age (stays as what it is set in frozenTimePeriodInSecs)

maxWarmDBCount is set to:

 

maxWarmDBCount = 4294967295

 

 Does this effect?

If the value is changed, would data roll to cold?

Labels (2)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-27-2024 08:53 PM

@rickymckenzie10 - To simplify your understanding of warm and cold buckets and different parameters.

(Only applicable when you are not using volumes)

 

Warm Buckets -> buckets in /db path

Cold Buckets -> buckets in /colddb path

Frozen Buckets -> Deleted/Archived data

 

Warm to Cold Bucket Movement -> when maxWarmDBCount bucket count is reached.

 

Cold to Frozen (deleting, max age) Bucket Movement -> when all events are older than frozenTimePeriodInSecs

 

I hope this helps you understand the parameters better. Kindly upvote if it does!!!

0 Karma
Reply

victor_menezes
Path Finder
‎02-27-2024 06:47 PM

Hey Ricky,

AFAIK maxWarmDBCount doesn't affect the rollover of data (but it can be storage hungry so be careful with that), it is something the frozenTimePeriodInSecs do instead. In your case, if I understood correctly, the frozen time already passed but your data did not rolled over, and that may be either because your cluster manager is too busy at the moment (and you are experiencing delay in this processing) OR maybe it is waiting for the buckets to hit a threshold in size. Check the bucket replication status also, it may indicate if there is any problem in there...

Are you using maxTotalDataSizeMB key by any chance? Try to add that also to see if you get any diff behavior.

0 Karma
Reply

rickymckenzie10
Explorer
‎02-28-2024 01:24 PM

@victor_menezes can you expand a little more on this:

AFAIK maxWarmDBCount doesn't affect the rollover of data (but it can be storage hungry so be careful with that), it is something the frozenTimePeriodInSecs do instead

Yes, I am using maxTotalDataSizeMB in each of the indexes. They all have their specific size.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...