Getting Data In

Hot buckets filling up

fred_mcghee
Engager

I have 36 indexers each with 2.7gb of space. There are currently 29 of the 36 at capacity and keeping entering abnormal state. How can I get the indexes to roll the data or open up space to solve the alerting?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You appear to have at least two problems:
1) Your data is not evenly distributed across your indexers. Even distribution would have kept the 29 drives from filling up quickly and would improve search performance, but is not your main problem.
2) Your indexes are mis-configured. Volumes should be sized so they don't, combined, exceed the available storage. Don't forget to allow for file system overhead, data model accelerations, and replicated buckets. We'd have to know more about your index configuration to offer specific advise.

Also. you may have too many replicated buckets. Consider lowering your replication factor.
Make sure $SPLUNK_DB is not sharing storage with $SPLUNK_HOME, the operating system, or another application.

---
If this reply helps you, Karma would be appreciated.
0 Karma

fred_mcghee
Engager

Hello Rich

We are set to 2 searchable and 3 replicated right now. I believe we are sized too small. We have 2.7 gb of space on all the indexers and 2.6 is used. I think it was configure to have 30 days of searchable data in HOT and I think that is too much data. Do you think increasing the storage of the indexers is the best option or decrease the days os HOT searchable?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Adding more storage is the best idea, but you may find yourself in the same situation later if you don't get your configuration right. Once you have the settings tuned buckets should roll before the storage fills.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...