Splunk Enterprise

Old Data in Hot Buckets

phanichintha
Path Finder

Hello,

In my indexer i have old data in hot buckets why can any once help me I don't want this old data in hot buckets.

phanichintha_0-1594821484826.png

 

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If you restart the indexer twice a month then there should be no hot buckets more than 2 weeks old.  In theory, all hot buckets would have timestamps in the last two weeks, but sometimes data arrives with old/bad timestamps.  When that happens, a new hot bucket will be created for that old data.  I suspect this is what you are seeing, but it's a little hard to grok the Excel spreadsheet in your screen shot.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust
I'll assume you've restarted Splunk since 2017. Since a restart would have rolled those buckets to warm, I would say you're ingesting data with old timestamps.
---
If this reply helps you, Karma would be appreciated.
0 Karma

phanichintha
Path Finder

Hello Rich, Thanks for your swift response.

I restart the indexer twice in a month, so i need a solution that old data can move to warm buckets. I don't need any old data in hot buckets. I need day-wise(latest) data only in hot buckets. what should i do now? 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you restart the indexer twice a month then there should be no hot buckets more than 2 weeks old.  In theory, all hot buckets would have timestamps in the last two weeks, but sometimes data arrives with old/bad timestamps.  When that happens, a new hot bucket will be created for that old data.  I suspect this is what you are seeing, but it's a little hard to grok the Excel spreadsheet in your screen shot.

---
If this reply helps you, Karma would be appreciated.
0 Karma

phanichintha
Path Finder

Thank you, Rich,

After i restarted the Indexer the changes happen.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...