Deployment Architecture

What factors into how Splunk creates new hot buckets?

jitsinha
Path Finder

Can anybody put some light on the factors based on why Splunk creates new Hot buckets??

Like maxDataSize and maxHotBuckets - these are the two factors responsible for rollover from hot to warm.

Labels (1)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi jitsinha,

you can find everything in the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/HowSplunkstoresindexes :

Newly indexed data goes into a hot bucket, which is a bucket that's both searchable and actively being written to. After the hot bucket reaches a certain size, it becomes a warm bucket ("rolls to warm"), and a new hot bucket is created. 

and / or in the wiki :

hope this helps ...

cheers, MuS

anwarmian
Communicator

I gave an up point because MuS mentions that hot buckets are both searchable and actively being written to. This a good point. Warm buckets, on the other hand, are searchable but NOT actively written to. Splunk restart also rolls hot to warm.

0 Karma

jitsinha
Path Finder

anyone please??

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!