Re: How to validate bucket rotation (retention par...

sagaraverma · ‎04-24-2020

I recently introduced a few parameters around different buckets like hot, warm, cold, etc.
Now I need to see if the buckets are rotating based on the values I provided, and I am trying to find an effective search to help.
Parameters I recently introduced and want to validate based on bucket size and movement are:

maxDataSize = auto_high_volume
maxHotBuckets = 10
maxWarmDBCount = 15
maxTotalDataSizeMB = 512000
frozenTimePeriodInSecs = 7776000

codebuilder · ‎04-28-2020

The maxTotalDataSizeMB parameter does not apply to individual buckets. It is the maximum data size that an entire index can consume. Once this is reached, the oldest data will roll to frozen. Since the default behavior for rolling to frozen is deletion, you can potentially lose data.

----
An upvote would be appreciated and Accept Solution if it helps!

sagaraverma · ‎04-28-2020

Thanks for your suggestion.
However, I am looking for something else. I hope if you can take time to ready out all and get me some insights.

codebuilder · ‎04-28-2020

As @jkat54 mentioned, use dbinspect.

----
An upvote would be appreciated and Accept Solution if it helps!

sagaraverma · ‎04-26-2020

Can someone please help to seek me an effective search query here ?
Or any other method to validate it completely ?

jkat54 · ‎04-26-2020

To be sure you are aware, if you change the bucket settings on an existing index the following may be true/likely:

The peer(s) may need to restart splunkd
Changes to retention time will be retroactive, but changes to the number of buckets and bucket sizes etc will not be retroactive.

That means if you had 6 years of data, each year with 10,000 buckets, and you change the settings to be 100 buckets per year, Splunk will create 100 buckets per year going forward in time. It will not change the OLD buckets.

However if you change the retention TIME to 1 year on the same data, Splunk WILL delete the older buckets (but not always immediately). Last bit is key, it can take time to delete buckets in a large environment. Your search might produce unexpected results until all the fix up tasks were completed.

Finally, you'll have to allow time for a good sample set of new buckets to be created with the new settings before you can find the settings are correct/incorrect using the command already mentioned:

| dbinspect index=yourIndex

sagaraverma · ‎04-26-2020

Peers had been restarted, how do I monitor these changes since the day I changed this setting for an index ?

jkat54 · ‎04-26-2020

Using your talent, developing the requirements and then use dbinspect and other SPL commands to achieve your requirements.

"Monitor these changes since the day I change them..." Is too vague for anyone to just give you a solution with expectations of it being what you're looking for.

"I want to know if buckets grow larger than maxTotalDataSizeMB"... Now that's a requirement someone can help with.

richgalloway · ‎04-24-2020

Depending on what exactly you're looking for, the dbinspect command may help.

---
If this reply helps you, Karma would be appreciated.

sagaraverma · ‎04-24-2020

I have several queries but not helping much.

I need to determine with help of some effective search query on how buckets state changed and their counts in individual states after I changed these parameters -
maxDataSize = auto_high_volume
maxHotBuckets = 10
maxWarmDBCount = 15
maxTotalDataSizeMB = 512000
frozenTimePeriodInSecs = 7776000

How to validate bucket rotation (retention parameters) via search?

workload management

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes