Deployment Architecture

How to validate bucket rotation (retention parameters) via search?

Loves-to-Learn Lots

I recently introduced a few parameters around different buckets like hot, warm, cold, etc.
Now I need to see if the buckets are rotating based on the values I provided, and I am trying to find an effective search to help.
Parameters I recently introduced and want to validate based on bucket size and movement are:

maxDataSize = auto_high_volume
maxHotBuckets = 10
maxWarmDBCount = 15
maxTotalDataSizeMB = 512000
frozenTimePeriodInSecs = 7776000
Labels (1)
0 Karma

Motivator

The maxTotalDataSizeMB parameter does not apply to individual buckets. It is the maximum data size that an entire index can consume. Once this is reached, the oldest data will roll to frozen. Since the default behavior for rolling to frozen is deletion, you can potentially lose data.

0 Karma

Loves-to-Learn Lots

Thanks for your suggestion.
However, I am looking for something else. I hope if you can take time to ready out all and get me some insights.

0 Karma

Motivator

As @jkat54 mentioned, use dbinspect.

0 Karma

Loves-to-Learn Lots

Can someone please help to seek me an effective search query here ?
Or any other method to validate it completely ?

0 Karma

SplunkTrust
SplunkTrust

To be sure you are aware, if you change the bucket settings on an existing index the following may be true/likely:

  1. The peer(s) may need to restart splunkd
  2. Changes to retention time will be retroactive, but changes to the number of buckets and bucket sizes etc will not be retroactive.

That means if you had 6 years of data, each year with 10,000 buckets, and you change the settings to be 100 buckets per year, Splunk will create 100 buckets per year going forward in time. It will not change the OLD buckets.

However if you change the retention TIME to 1 year on the same data, Splunk WILL delete the older buckets (but not always immediately). Last bit is key, it can take time to delete buckets in a large environment. Your search might produce unexpected results until all the fix up tasks were completed.

Finally, you'll have to allow time for a good sample set of new buckets to be created with the new settings before you can find the settings are correct/incorrect using the command already mentioned:

| dbinspect index=yourIndex
0 Karma

Loves-to-Learn Lots

Peers had been restarted, how do I monitor these changes since the day I changed this setting for an index ?

0 Karma

SplunkTrust
SplunkTrust

Using your talent, developing the requirements and then use dbinspect and other SPL commands to achieve your requirements.

"Monitor these changes since the day I change them..." Is too vague for anyone to just give you a solution with expectations of it being what you're looking for.

"I want to know if buckets grow larger than maxTotalDataSizeMB"... Now that's a requirement someone can help with.

0 Karma

SplunkTrust
SplunkTrust

Depending on what exactly you're looking for, the dbinspect command may help.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Loves-to-Learn Lots

I have several queries but not helping much.

I need to determine with help of some effective search query on how buckets state changed and their counts in individual states after I changed these parameters -
maxDataSize = autohighvolume
maxHotBuckets = 10
maxWarmDBCount = 15
maxTotalDataSizeMB = 512000
frozenTimePeriodInSecs = 7776000

0 Karma