Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Bucket Resizing

silverKi
Path Finder
‎01-19-2025 11:49 PM

My friend and I have the same indexes.conf, but why are the bucket sizes being created different? Mine is around 1MB, but my friend's are created in 5.x MB units..

indexes.conf
[volume:hot]
path = /data/HOT
maxVolumeDataSizeMB = 100
 
[volume:cold]
path = /data/COLD
maxVolumeDataSizeMB = 100
 
[lotte]
homePath = volume:hot/lotte/db
coldPath = volume:cold/lotte/colddb
maxDataSize = 1
maxTotalDataSizeMB = 200
thawedPath = $SPLUNK_DB/lotte/thaweddb

silverKi_0-1737359056338.png

silverKi_1-1737359070348.png

 

 

Labels (2)
Tags (1)
0 Karma
Reply

tscroggins
Influencer
‎01-20-2025 01:13 PM

Hi @silverKi,

The maxDataSize for your hot buckets is 1 MB. Your friend's setting appears to be higher (5 MB).

To add to what's already been written, you're writing (compressed) data at different rates:

Friend: ~720 bytes per second
You: ~19 bytes per second

This will influence the size of the warm bucket after it rolls from hot when either maxDataSize (1 MB in your case) or the default maxHotSpanSecs value of 90 days has been exceeded.

Hot buckets can also roll to warm when Splunk is restarted or when triggered manually. That probably isn't happening here, but it's worth noting.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-20-2025 12:42 PM

You have very little data in your buckets. And comparing bucket sizes from two different environments with different data (especially if there's so little of that data) makes no sense.

Normally you'd expect buckets of several dozens or even hundreds of megabytes.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-20-2025 01:36 AM

Hi

there are several reasons which can cause to switch a new bucket event it's max size is reached. 

When you are looking how your configuration has done. you should always use btool instead of looking those from file. Btool tolds you how splunk see those configurations as usually those are combined from several files.

You both should use 

splunk btool indexes list --debug lotte

to see what is actual configuration for index lotte. 

One reason for small bucket can be source events which contains events which have time stamps from past and future. Basically those haven't continuous increasing timestamps.

When I look those smaller buckets there seem to be this kind of behavior based on those epoch times in bucket names.

r. Ismo

0 Karma
Reply

silverKi
Path Finder
‎01-20-2025 03:19 AM

silverKi_0-1737371890201.png

My configuration has not changed. 
I have verified that buckets are being created, and I have verified that a hot_quar_v1 bucket is being created. Why is it being created and how do I remove it?
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...