Hi all,

i'm here to ask you some information about a current setting i found on an existing Splunk Index.

In particular, this is the indexes.conf stanza related to the index A:

[A]
homePath = volume:primary/A/db
coldPath = volume:secondary/A/colddb
thawedPath = $SPLUNK_DB/A/thaweddb
homePath.maxDataSizeMB = 15360
coldPath.maxDataSizeMB = 30720
maxWarmDBCount = 4294967295
frozenTimePeriodInSecs = 7776000
maxDataSize = auto
coldToFrozenDir = /splunk/A/frozendb
archiver.enableDataArchive = 0
bucketRebuildMemoryHint = 0
compressRawdata = 1
enableDataIntegrityControl = 0
enableOnlineBucketRepair = 1
enableTsidxReduction = 0
maxTotalDataSizeMB = 102400
minHotIdleSecsBeforeForceRoll = 0
rtRouterQueueSize =
rtRouterThreads =
selfStorageThreads =
suspendHotRollByDeleteQuery = 0
syncMeta = 1
tsidxWritingLevel =
enableDataIntegrityControl=true

After checking bucket information via monitoring console, i have the following question:

1) Why there is a hot bucket related to the index A with with startEpoch 16 december and endEpoch 31 Dec, with size on disk 375MB ?
It's related to the fact it does not hit neither size nor time (default maxhotspansec=90days) parameter to roll to warm?

2) if my requirement is to set 6 months of retention of this index, how can i be sure parameter frozenTimePeriodinSec act as expected?

3) I was thinking to set maxHotSpanSecs to 1 day for hot to warm, but what about rolling from warm to cold in a way i does not create any kind of problem with conf modification on existing data?

Thanks in advance everyone.