What is the hot bucket max time?

debjit_k · ‎04-14-2022

Hi All

I'm very new to Splunk can someone help me after how many days the data will transfer from hot bucket to warm bucket.

Note: default is 90 days that I know but I want proof which I need to show so can someone guide me from where I could find this.

Thank you in advance!!

venky1544 · ‎04-14-2022

Hi @debjit_k

Hot buckets roll to warm bucket when they reach max size and timespan

also they roll to warm when indexer is restarted or 24 hours with no events written to the hot bucket

so if you want to demonstrate you can follow the steps in the link and tweak it according to your use case

https://www.batchworks.de/manually-roll-buckets-from-hot-to-warm/

in my scenario i noted the splunk bucket details in the hot bucket did a restart of the indexer and saw the bucket rolling to warm bucket

Hope this helps

Note: if this helps karma points are appreciated / if it really worked for you please the accept the solution it might help others

PickleRick · ‎04-14-2022

It is not that straightforward.

There is indeed a setting maxHotSpanSecs which sets _maximum_ timespan of a bucket but the bucket might be rolled out to warm in certain circumstances (if you have maxHotIdleSecs parameter set and you don't receive events for that period of time, if it reaches its size limit or when the indexer is restarted).

So the maxHotSpanSecs is the theoretical maximum "age" of a hot bucket.

You might want to read the docs for indexes.conf file.

What is the hot bucket max time?

indexer

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...