Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In Distributed Management Console (DMC), why is DataAge is more than FrozenAge?

ankithreddy777
Contributor
‎02-13-2017 08:38 AM

on Splunk Distributed Management Console, I see that for one index

DataAge Vs FrozenAge

1005/562

why is DataAge more than FrozenAge? why the data is not rolling? Does data Age takes indextime in to account or the timestamp of an event to froze the event. Because, here for DataAge calculation it is taking timestamp of the event. But looks like for rolling buckets it is taken _indextime in to account

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎03-19-2017 05:44 PM

@ankithreddy777 - Did the answer provided by jtacy help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-13-2017 09:32 AM

You need a complete understanding of data retention and retirement policies to even understand the answer to your question.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/Setaretirementandarchivingpolicy

The answer to your question, data age is greater than frozen age possibly because the bucket is still "open".

Such as a hot bucket default size is 10GB for 64bit systems and 750MB for 32bit systems by default. If the data you are adding to the index is much smaller... say 1mb per day, then it would take 10240 days before the HOT bucket closes. In this case Splunk can never roll the hot bucket to warm, and it can not roll from warm to frozen. (Note, Splunk will roll the buckets anytime it stops/restarts)

One way to insure your hot buckets roll is by setting maxHotSpanSecs and maxHotIdleSecs in your indexes.conf:

[indexName]
maxHotSpanSecs = 86401
maxHotIdleSecs = 86401

Thanks to @dwaddle for the reminder. Do not do 86400 or 3600 here as it starts a condition known as ohSnap.

This would cause the hot buckets to roll before reaching their 10gb/750mb limit, and instead they would roll every 86400s (1 day). Another event that will trigger hot bucket rolls is restarting splunk on the indexer.

You can also set the maxDataSize to smaller numbers which will cause them to roll sooner, but generally you end up with a combination of indexes.conf settings when you're trying to set a very specific retention period.

alt text

Reply

jtacy
Builder
‎02-13-2017 02:12 PM

I would also add that it's probably worth looking at some of the earliest data in the index affected by this problem to make sure that timestamp recognition is working properly. If the problem is partly being caused by bad timestamps, rolling hot buckets faster will hide the symptom but not the cause.

Low-throughput indexes are an interesting challenge. Make the buckets too large and they'll almost never roll, but make them too small and they can lead to big bucket counts in a large clustered environment with long retention. Either way, make a poor choice and you might be stuck with the consequences for a while!

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...