Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Max Bucket Size warning

peter_gianusso
Communicator
‎10-25-2013 02:11 PM

On the indexer in Splunk 6 getting this error message

10-25-2013 17:00:11.024 -0400 WARN IndexConfig - Max bucket size is larger than the index size limit. Please check your index configuration. idx=main; bucket size in MB (from maxDataSize) 10240, maxTotalDataSizeMB=1000

It does not state what index.

I checked the index configuration of the main application.

Max size (MB) of entire index : 50000
Max size (MB) of hot/warm/cold bucket is auto

Should i be worried about this message?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2013 02:52 PM

Yes, you can have a hot bucket larger than your maximum index size.
So the possible consequence is that a hot bucket will fill your storage, because it cannot be delete until it rotated to warm or cold.
So make sure than you have maxDataSize < maxTotalDataSizeMB

To confirm run a btool command on your indexes.conf

splunk cmd btool indexes list

and check for maxDataSize and maxTotalDataSizeMB

for the explanation of the indexes parameters :
see http://docs.splunk.com/Documentation/Splunk/latest/admin/Indexesconf

`
maxTotalDataSizeMB =
* The maximum size of an index (in MB).
* If an index grows larger than the maximum size, the oldest data is frozen.
* This paremeter only applies to hot, warm, and cold buckets. It does not apply to thawed buckets.
* Defaults to 500000.
* Highest legal value is 4294967295

maxDataSize = |auto|auto_high_volume
* The maximum size in MB for a hot DB to reach before a roll to warm is triggered.
* Specifying "auto" or "auto_high_volume" will cause Splunk to autotune this parameter (recommended).
* You should use "auto_high_volume" for high-volume indexes (such as the main
index); otherwise, use "auto". A "high volume index" would typically be
considered one that gets over 10GB of data per day.
* Defaults to "auto", which sets the size to 750MB.
* "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.
* Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable
number ranges anywhere from 100 to 50000. Before proceeding with any higher value, please seek
approval of Splunk Support.
* If you specify an invalid number or string, maxDataSize will be auto tuned.
* NOTE: The maximum size of your warm buckets may slightly exceed 'maxDataSize', due to post-processing and
timing issues with the rolling policy.

`

View solution in original post

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎10-25-2013 02:59 PM

yes - it says that is in the main index (this is the default index).

you should probably look in either of these places

/opt/splunk/etc/apps//local/indexes.conf
/opt/splunk/etc/slave-apps//local/indexes.conf
/opt/splunk/etc/system/local/indexes.conf

note that for , you'll need to look in all apps in these directories.

The problem seems to be that you have configured a maximum size for the entire index to be 1GB, whereas the maximum size for any bucket within the index is at 10 GB. Thus - as soon as a hot bucket is rolled to warm, it will be frozen (most likely deleted).

/K

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2013 02:52 PM

Yes, you can have a hot bucket larger than your maximum index size.
So the possible consequence is that a hot bucket will fill your storage, because it cannot be delete until it rotated to warm or cold.
So make sure than you have maxDataSize < maxTotalDataSizeMB

To confirm run a btool command on your indexes.conf

splunk cmd btool indexes list

and check for maxDataSize and maxTotalDataSizeMB

for the explanation of the indexes parameters :
see http://docs.splunk.com/Documentation/Splunk/latest/admin/Indexesconf

`
maxTotalDataSizeMB =
* The maximum size of an index (in MB).
* If an index grows larger than the maximum size, the oldest data is frozen.
* This paremeter only applies to hot, warm, and cold buckets. It does not apply to thawed buckets.
* Defaults to 500000.
* Highest legal value is 4294967295

maxDataSize = |auto|auto_high_volume
* The maximum size in MB for a hot DB to reach before a roll to warm is triggered.
* Specifying "auto" or "auto_high_volume" will cause Splunk to autotune this parameter (recommended).
* You should use "auto_high_volume" for high-volume indexes (such as the main
index); otherwise, use "auto". A "high volume index" would typically be
considered one that gets over 10GB of data per day.
* Defaults to "auto", which sets the size to 750MB.
* "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.
* Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable
number ranges anywhere from 100 to 50000. Before proceeding with any higher value, please seek
approval of Splunk Support.
* If you specify an invalid number or string, maxDataSize will be auto tuned.
* NOTE: The maximum size of your warm buckets may slightly exceed 'maxDataSize', due to post-processing and
timing issues with the rolling policy.

`

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...