In settings/indexes, one of the indexes was set to 34,000 mb as maximum size. However, I observed that the current size in mb is around 3000 mb from the past 2 months . In some cases, I even noticed below 3000 mb, even though a lot of data was coming in each and every day. I don't understand why the current size in mb is not increasing. Instead, it's decreasing and staying around 3000 mb. Could anyone tell me what could be the reason?
That's due to the Frozen bucket size is very less.. After increasing the bucket size. resolved the issue.
That's due to the Frozen bucket size is very less.. After increasing the bucket size. resolved the issue.
It would also help if you post the stanza for that index in indexes.conf. Do you have other "custom" settings other than the maxTotalDataSizeMB setting?
If you want to see where all the buckets are and when they rolled... you'll want to install the Fire Brigade 2 App (and add-on).
Do run this and post its output:
$SPLUNK_HOME/bin/splunk cmd btool indexes list --debug that_index | grep -v system/default
Additionally, run this search to see if buckets were being moved anywhere:
index=_internal BucketMover
I think Martin is right here. Looks like you're simply rolling buckets.