Hi,
I am getting below error for '_introspection' index-
The percentage of small buckets (75%) created over the last hour is high and exceeded the red thresholds (50%) for index=_introspection, and possibly more indexes, on this indexer. At the time this alert fired, total buckets created=4, small buckets=3
I want to know why this is happening with _introspection
index?
I can understand if I increased hot bucket count then error may get resolved but I would like to know why it is happening?
Thanks,
Were you ever able to confirm what was causing this issue?
If you are on Linux, the default setting in Splunk is to forward/index all files at /opt/splunk/var/log/splunk/*
This becomes an issue if you have logrotate configured, and have not updated dir monitoring.
Meaning, logrotate will either rotate log files and append a timestamp, or compress the files to .gz, or both.
Out of the box, Splunk will index all versions of the same file because it see's them as "new".
Ensure that you are not indexing locally, whitelist .log files, and blacklist everything else.
@codebuilder I am on windows os and have only batch monitoring input configured. Not sure why I am receiving older events in _introspection index