After out upgrade from 6.5 to 7.2 1 of 2 indexers has high ram utilisation. We are running Enterprise Security too.
Health Status from the search head is showing a yellow for splunkd - data forwarding (I assume to that indexer?)
Health status on that indexer is showing a Red for buckets.
The percentage of small of buckets created (60) over the last hour is very high and exceeded the red thresholds (50) for index=app_logs, and possibly more indexes, on this indexer
So I'm not sure why its creating lots of small buckets - is this related to how we setup inputs?
indexes.conf for the bucket:
homePath = $SPLUNK_DB/app_logs/db
coldPath = $SPLUNK_DB/app_logs/colddb
thawedPath = $SPLUNK_DB/app_logs/thaweddb
frozenTimePeriodInSecs = 31557600
disabled = 0