Splunk Enterprise Security

Bucket rotation and retention

LM_ACN
Engager

Hi all,

i'm here to ask you some information about a current setting i found on an existing Splunk Index.

In particular, this is the indexes.conf stanza related to the index A:

[A]
homePath = volume:primary/A/db
coldPath = volume:secondary/A/colddb
thawedPath = $SPLUNK_DB/A/thaweddb
homePath.maxDataSizeMB = 15360
coldPath.maxDataSizeMB = 30720
maxWarmDBCount = 4294967295
frozenTimePeriodInSecs = 7776000
maxDataSize = auto
coldToFrozenDir = /splunk/A/frozendb
archiver.enableDataArchive = 0
bucketRebuildMemoryHint = 0
compressRawdata = 1
enableDataIntegrityControl = 0
enableOnlineBucketRepair = 1
enableTsidxReduction = 0
maxTotalDataSizeMB = 102400
minHotIdleSecsBeforeForceRoll = 0
rtRouterQueueSize =
rtRouterThreads =
selfStorageThreads =
suspendHotRollByDeleteQuery = 0
syncMeta = 1
tsidxWritingLevel =
enableDataIntegrityControl=true

After checking bucket information via monitoring console, i have the following question:

1) Why there is a hot bucket related to the index A with with startEpoch 16 december and endEpoch 31 Dec, with size on disk 375MB ?
It's related to the fact it does not hit neither size nor time (default maxhotspansec=90days) parameter to roll to warm?

2) if my requirement is to set 6 months of retention of this index, how can i be sure parameter frozenTimePeriodinSec act as expected?

3) I was thinking to set maxHotSpanSecs to 1 day for hot to warm, but what about rolling from warm to cold in a way i does not create any kind of problem with conf modification on existing data?

Thanks in advance everyone.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...