We are getting the small hot buckets warning for this index, but the timestamps look fine just with a few hours offset. Not quite sure where to go from here.
"A few hours offset" can be a big contributing factor here. How big of an offset are we talking here? If you haven't changed the value of maxHotBuckets for the index, it defaults to auto, which the indexers use to the set the value to 3. If the timestamp of the data is all over the place (Some in the future, some really old data), Splunk ingests it but force roll a hot bucket to create a new one for the data with unusual timestamp and if it happens frequently, you find a lot of small hot buckets being created in a short span of time.
Hope this helps,
###If it helps, kindly consider accepting as an answer/upvoting###
And all the timestamps are the same TZ, so no weird differing times that I can see either.
So the add-on came with props, and what I mean by offset is that all the events are in a timezone 6 hours ahead of us, but when I search it converts it to my time. When I tried to search it failed with this message "Unable to parse the search: Invalid time bounds in search: start=1654750800 > end=1654198380."
My bad. I wrote the timeranges incorrectly for the search. Have updated the answer above.
I have no events in the future.
Interesting. Could you kindly share as to which version of Splunk are you using and what's the % of hot buckets that Splunk is giving in the error message.
Please try running the search from this post and see if the index that you got the error message for gets identified.
Could you also check if:
Could you please run the following search for last last 7 days and see if it returns the name of the affected indexer. If it doesn't returns a result, please try to take the "Received shutdown signal." string and run it in the splunkd.log of the indexer (If you have access to its box).
index=_internal "Received shutdown signal." sourcetype=splunkd component!="SearchParser"
| dedup host
| stats max(_time) as _time by host
Beyond just a second ago when I restarted it, I have nothing popping up.
Okay. This seems interesting though. We've eliminated the most common reasons for this issue. The only ones that remain are:
Well there is no errors in Splunk for that sourcetype, so nothing like that is flagging in the data. And all the connections seem fine, there is other add-ons on that HF that are reporting fine.
I am running 8.2.4 with 69% of small buckets and it's only flagging on one of my indexers. And I don't see any errors in splunkd regarding that add-on.
Restarting the indexer got rid of the problem for now, not sure it's going to fix the underlying problem.
Ah. Was the instance recently restarted as well? If there's no problem with the log source, you should not face the issue again anytime soon hopefully. Restarting the indexers rolls all the hot buckets to warm, so that would have done the trick for now.
It came back within 2 hours and is now affecting two indexers.
Can you run the following search please:
index=_internal component=HotBucketRoller idx=<insert impacted index name here>
| stats count by calller
which will show why the buckets are rolling to hot.
Then you can run:
index=_internal component=IndexWriter idx=<insert impacted index name here>
which should show more details about why new hot buckets and being created and, if it was due to the timestamp of an event it will show it.
Thanks,
Jamie
This is the update of the first search.