Splunk Enterprise

Bucket Resizing

silverKi
Path Finder

My friend and I have the same indexes.conf, but why are the bucket sizes being created different? Mine is around 1MB, but my friend's are created in 5.x MB units..

indexes.conf
[volume:hot]
path = /data/HOT
maxVolumeDataSizeMB = 100
 
[volume:cold]
path = /data/COLD
maxVolumeDataSizeMB = 100
 
[lotte]
homePath = volume:hot/lotte/db
coldPath = volume:cold/lotte/colddb
maxDataSize = 1
maxTotalDataSizeMB = 200
thawedPath = $SPLUNK_DB/lotte/thaweddb

silverKi_0-1737359056338.png

silverKi_1-1737359070348.png

 

 

Labels (2)
Tags (1)
0 Karma

tscroggins
Influencer

Hi @silverKi,

The maxDataSize for your hot buckets is 1 MB. Your friend's setting appears to be higher (5 MB).

To add to what's already been written, you're writing (compressed) data at different rates:

Friend: ~720 bytes per second
You: ~19 bytes per second

This will influence the size of the warm bucket after it rolls from hot when either maxDataSize (1 MB in your case) or the default maxHotSpanSecs value of 90 days has been exceeded.

Hot buckets can also roll to warm when Splunk is restarted or when triggered manually. That probably isn't happening here, but it's worth noting.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You have very little data in your buckets. And comparing bucket sizes from two different environments with different data (especially if there's so little of that data) makes no sense.

Normally you'd expect buckets of several dozens or even hundreds of megabytes.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

there are several reasons which can cause to switch a new bucket event it's max size is reached. 

When you are looking how your configuration has done. you should always use btool instead of looking those from file. Btool tolds you how splunk see those configurations as usually those are combined from several files.

You both should use 

splunk btool indexes list --debug lotte

to see what is actual configuration for index lotte. 

One reason for small bucket can be source events which contains events which have time stamps from past and future. Basically those haven't continuous increasing timestamps.

When I look those smaller buckets there seem to be this kind of behavior based on those epoch times in bucket names.

r. Ismo

0 Karma

silverKi
Path Finder

silverKi_0-1737371890201.png

My configuration has not changed. 
I have verified that buckets are being created, and I have verified that a hot_quar_v1 bucket is being created. Why is it being created and how do I remove it?
Tags (1)
0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...