Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there any way to know about hot warm cold frozen buckets lifespan from Splunk GUI?

yourfriend
Loves-to-Learn
‎08-30-2022 10:19 AM

Hello Splunk team, I have two doubts please help me with details,

1. We are using Splunk cloud platform for Enterprise security. Is there any way to know the time span of buckets for how many days we have configured. For example Hot - 90 days Warm- 90 days like this data how to get to know from Splunk GUI, I have used "| dbinspect" in search query but I am unable to get the timing for how many days we have kept Hot, warm etc., 

2. While using a search query we can see the time range "All Time", so here what does it actually mean. Is this mean from when we have configured Splunk or from when logs got ingested or else only the Hot & Warm buckets database data.

Thanks in advance for letting me know the details.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2022 11:59 AM

1.  Why does it matter?  Your contract with Splunk calls for a certain number of days of storage (typically, 90).  Splunk manages that for you.  How it breaks down between hot and warm doesn't affect how you search.

2. "All Time" means from your earliest event until the newest event.  Depending your data, the earliest event could pre-date when you installed/configured Splunk.  "All Time" searches are discouraged in Splunk Cloud because they can cause a lot of cache thrashing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

yourfriend
Loves-to-Learn
‎09-13-2022 09:46 AM

@richgalloway 
Yes of course ! It doesn't matter to me while we are using cloud. But I was curious to see how many our Splunk team has maintaining. This was out of curiosity I have asked. 

So, Is there anyway to know how many days kept for Hot, Warm buckets.?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2022 01:33 PM

You can get a feel for how long your hot buckets have been around by using dbinspect.

| dbinspect index=* 
| eval age=(endEpoch - startEpoch)/86400 
| stats sum(age) as age by index

In Splunk Cloud, the dbinspect command only shows hot buckets since warm buckets are in SmartStore.  You can be pretty sure, however, that warm buckets are about the same size as hot buckets.

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-31-2022 12:34 AM

Hi

addition to item 1. What I have understood is that all Splunk Cloud instances are currently using SmartStore to store all than how buckets. And as instances are from iXX.xxxx  all hot buckets has stored into local nvme disks. Size and amount of those instances and local nvme disks are based on your current license. As @richgalloway said, it's splunk issue to get this working according your license.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...