Storage issues on indexer - Splunk Community

Monitoring Splunk

Is it normal to have colddb > db?

4.0K    thaweddb
20M     summary
4.2G    datamodel_summary
9.8G    db
59G     colddb
[root@xxxxxxxplunkdata/_internaldb

it depends on the parameters you configured in your Splunk installation,

as you can see in https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf there are many parameters to configure how long a bucket remains in Warm Data (db) and how long it remains in Cold Data (colddb).

at first, what's the retention of your archive? if you have a long retention (frozenTimePriodInSeconds), buckets stay most time in Cold State.

if you leave the the number of warm as default and you have many data, the pass quickly from Warm to Cold (default of maxWarmDbCount is 300).

In other words it's normal, unless you setted a different configuration.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers, So you searched, “what is the name of the usb key inserted by bob smith?” Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register Is your ...