Getting Data In
Highlighted

Why is the size of one of our indexes decreasing instead of increasing?

Builder

In settings/indexes, one of the indexes was set to 34,000 mb as maximum size. However, I observed that the current size in mb is around 3000 mb from the past 2 months . In some cases, I even noticed below 3000 mb, even though a lot of data was coming in each and every day. I don't understand why the current size in mb is not increasing. Instead, it's decreasing and staying around 3000 mb. Could anyone tell me what could be the reason?

Tags (2)
0 Karma
Highlighted

Re: Why is the size of one of our indexes decreasing instead of increasing?

SplunkTrust
SplunkTrust

Do run this and post its output:

$SPLUNK_HOME/bin/splunk cmd btool indexes list --debug that_index | grep -v system/default

Additionally, run this search to see if buckets were being moved anywhere:

index=_internal BucketMover
Highlighted

Re: Why is the size of one of our indexes decreasing instead of increasing?

Contributor

I think Martin is right here. Looks like you're simply rolling buckets.

0 Karma
Highlighted

Re: Why is the size of one of our indexes decreasing instead of increasing?

Splunk Employee
Splunk Employee

It would also help if you post the stanza for that index in indexes.conf. Do you have other "custom" settings other than the maxTotalDataSizeMB setting?
If you want to see where all the buckets are and when they rolled... you'll want to install the Fire Brigade 2 App (and add-on).

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: Why is the size of one of our indexes decreasing instead of increasing?

Builder

That's due to the Frozen bucket size is very less.. After increasing the bucket size. resolved the issue.

View solution in original post

0 Karma