Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What is the hot bucket max time?

debjit_k
Path Finder
‎04-14-2022 04:57 AM

Hi All

I'm very new to Splunk can someone help me after how many days the data will transfer from hot bucket to warm bucket. 

Note: default is 90 days that I know but I want proof which I need to show so can someone guide me from where I could find this.

Thank you in advance!!

Labels (1)
Labels
0 Karma
Reply

venky1544
Builder
‎04-14-2022 06:31 AM

Hi @debjit_k 

Hot buckets roll to warm bucket when they reach max size and timespan 

also they roll to warm when indexer is restarted or 24 hours with no events written to the hot bucket

so if you want to demonstrate you can follow the steps in the link and tweak it according to your use case 

https://www.batchworks.de/manually-roll-buckets-from-hot-to-warm/

in my scenario i noted the splunk bucket details in the hot bucket did a restart of the indexer and saw the bucket rolling to warm bucket 

Hope this helps

Note: if this helps karma points are  appreciated / if it really worked for you please the accept the solution it might help others 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-14-2022 05:57 AM

It is not that straightforward.

There is indeed a setting maxHotSpanSecs which sets _maximum_ timespan of a bucket but the bucket might be rolled out to warm in certain circumstances (if you have maxHotIdleSecs parameter set and you don't receive events for that period of time, if it reaches its size limit or when the indexer is restarted).

So the maxHotSpanSecs is the theoretical maximum "age" of a hot bucket.

You might want to read the docs for indexes.conf file.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...