Getting Data In

Why is the size of one of our indexes decreasing instead of increasing?

pavanae
Builder

In settings/indexes, one of the indexes was set to 34,000 mb as maximum size. However, I observed that the current size in mb is around 3000 mb from the past 2 months . In some cases, I even noticed below 3000 mb, even though a lot of data was coming in each and every day. I don't understand why the current size in mb is not increasing. Instead, it's decreasing and staying around 3000 mb. Could anyone tell me what could be the reason?

Tags (2)
0 Karma
1 Solution

pavanae
Builder

That's due to the Frozen bucket size is very less.. After increasing the bucket size. resolved the issue.

View solution in original post

0 Karma

pavanae
Builder

That's due to the Frozen bucket size is very less.. After increasing the bucket size. resolved the issue.

View solution in original post

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

It would also help if you post the stanza for that index in indexes.conf. Do you have other "custom" settings other than the maxTotalDataSizeMB setting?
If you want to see where all the buckets are and when they rolled... you'll want to install the Fire Brigade 2 App (and add-on).

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Do run this and post its output:

$SPLUNK_HOME/bin/splunk cmd btool indexes list --debug that_index | grep -v system/default

Additionally, run this search to see if buckets were being moved anywhere:

index=_internal BucketMover

dolivasoh
Contributor

I think Martin is right here. Looks like you're simply rolling buckets.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!