Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to total the buckets that will roll from cold to frozen when changing frozenTimePeriodinSecs

wardallen
Path Finder
‎10-12-2014 04:56 PM

I'm running out of space in my cold bucket volume, and want to reduce the default frozenTimePeriodInSecs to force a bunch of older cold data to roll to frozen. I've got plenty of space in frozen.
Is there a way I can get an idea of how much cold volume space I can reclaim if I know how much I want to reduce frozenTimePeriodInSecs?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎10-12-2014 07:02 PM

By using dir or ls or the dbinspect command, you can find out the bucket time ranges. By seeing how many's "latest" edge, which is typically the edge closest to now, you can see how many would fall outside your retention window if you adjusted frozenTimePeriodInSecs.

As far as i know, dbinspect is not properly distributed so you might have to log into indexers, or if you're using a cluster you could hit the cluster bukets endpoint to get xml or json to walk.

ASIDE:
This is all terribly manual of course. We need to build a tool that can address this type of usecase. Specifically "If i changed my configuration like so.... what would happen?" I hope to work on something like this within the next year or so. As for a GUI with nice visualization I have no idea but please file ERs if the lack is a serious issue for you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎10-12-2014 07:02 PM

By using dir or ls or the dbinspect command, you can find out the bucket time ranges. By seeing how many's "latest" edge, which is typically the edge closest to now, you can see how many would fall outside your retention window if you adjusted frozenTimePeriodInSecs.

As far as i know, dbinspect is not properly distributed so you might have to log into indexers, or if you're using a cluster you could hit the cluster bukets endpoint to get xml or json to walk.

ASIDE:
This is all terribly manual of course. We need to build a tool that can address this type of usecase. Specifically "If i changed my configuration like so.... what would happen?" I hope to work on something like this within the next year or so. As for a GUI with nice visualization I have no idea but please file ERs if the lack is a serious issue for you.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-12-2014 06:16 PM

Take a look at this page.

http://wiki.splunk.com/Deploy:BucketRotationAndRetention

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...