Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Old Data in Hot Buckets

phanichintha
Path Finder
‎07-15-2020 07:02 AM

Hello,

In my indexer i have old data in hot buckets why can any once help me I don't want this old data in hot buckets.

phanichintha_0-1594821484826.png

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 10:19 AM

If you restart the indexer twice a month then there should be no hot buckets more than 2 weeks old.  In theory, all hot buckets would have timestamps in the last two weeks, but sometimes data arrives with old/bad timestamps.  When that happens, a new hot bucket will be created for that old data.  I suspect this is what you are seeing, but it's a little hard to grok the Excel spreadsheet in your screen shot.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 08:56 AM
I'll assume you've restarted Splunk since 2017. Since a restart would have rolled those buckets to warm, I would say you're ingesting data with old timestamps.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

phanichintha
Path Finder
‎07-15-2020 09:13 AM

Hello Rich, Thanks for your swift response.

I restart the indexer twice in a month, so i need a solution that old data can move to warm buckets. I don't need any old data in hot buckets. I need day-wise(latest) data only in hot buckets. what should i do now? 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 10:19 AM

If you restart the indexer twice a month then there should be no hot buckets more than 2 weeks old.  In theory, all hot buckets would have timestamps in the last two weeks, but sometimes data arrives with old/bad timestamps.  When that happens, a new hot bucket will be created for that old data.  I suspect this is what you are seeing, but it's a little hard to grok the Excel spreadsheet in your screen shot.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

phanichintha
Path Finder
‎07-15-2020 11:52 PM

Thank you, Rich,

After i restarted the Indexer the changes happen.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...