Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Critical Bucket size and range

jamie1
Communicator
‎01-16-2024 02:24 AM

Hi There,

I have noticed that the cloud monitoring console is reporting a critical bucket. I only have one and have attached a screenshot. The small % is 100. 

Unfortunately, I am not certain as to what this really means and whether it is something to worry about or not.

Any help would be appreciated,

Jamie

Labels (2)
Labels
Preview file
62 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2025 01:41 PM

This is an indication of inefficient bucket use, meaning buckets roll `before they fill up.  This can happen when indexers restart often, but in this case I suspect it's just a matter of the main index getting very few events before maxHotSpecSecs is reached and the bucket rolls to warm.

The answer for buckets that are known to contain few events is to set maxDataSize to a value that makes the bucket at least 50% full before it rolls.  The default bucket size is 750MB.  The dbinspect command can tell you the current size of buckets to give you an idea of how to set maxDataSize.

Best Practice is to not use the main index at all.  All incoming data should go into a custom index, leaving main empty (and not needing to roll).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-15-2025 01:45 PM
Another reason could be that your events contains timestamps from very far away each other. This also leads that buckets will close earlier than those are full.

There should be some indications for reason in _internal logs or even some CMC -> Indexing -> Data quality.
0 Karma
Reply

colbym
Path Finder
‎04-14-2025 12:57 PM

I have the same question

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...