Hi

you could search a reason for deleting bucket from internal index. You can start with 

index=_internal *cold* *<your index or bucket Id>* 

You will get list of buckets. Select one which are frozen. Then use that bucket id to see the process how and why it has frozen.

r. Ismo

Thank you,

I randomly ran it for a few buckets and observed the following message:

Moving bucket='rb_1681312487_1677890027_1731_FBA51F26-2043-4798-B18D-2D637A7347B9', initiating warm_to_cold: from='/Data/splunkdb/o365/db' to='/Data/splunkdb/o365/colddb', caller='chillIfNeeded', reason='maximum number of warm buckets exceeded'.

I'm not sure if this is the reason that could be affecting the data retention period. Initially, I had "maxHotBuckets = 10" defined, but it's no longer defined, and I've left it as the default value.

[test]
coldPath = volume:primary/test/colddb
homePath = volume:primary/test/db
thawedPath = $SPLUNK_DB/test/thaweddb
maxTotalDataSizeMB = 512000
frozenTimePeriodInSecs = 39420043

To add to the above details, the "thaweddb" folder is blank and doesn't contain any buckets.

For now, I have increased the "frozenTimePeriodInSecs" by a few more months, but I'm not sure if it will work. Any other advice would be very helpful.

The data can be frozen (in your case - deleted if not configured otherwise) in one of three cases:

1) The buckets in the index get too old (most recent event in a bucket is older than the retention period for the index) or

2) The index exceeds the size limit

3) The volume hits the size limit.

So you have to verify if any of those three conditions are met.

Additionally, check your effective configuration with btool. Maybe you're looking in a wrong file for the settings.

I did, the size defined is 500GB and most of the indexes are around 300-400GB.

Hi @spodda01da 

Run follwing command to check 
if buckets are deleting before  actual retion days

index=_internal sourcetype=splunkd bucketmover "*will attempt to freeze*"
| eval "Index Last Event"=strftime(now,"%d-%m-%y %H:%M:%S")
| eval "Index First Event"=strftime(latest,"%d-%m-%y %H:%M:%S")
| eval "Actual Data Stored"=round((now-latest)/86400,0)
| eval "Index Rention Days"=frozenTimePeriodInSecs/86400
| table candidate "Index Rention Days" "Actual Data Stored" "Index First Event" "Index Last Event"

if  "Actual Data Stored"  less than "Index Rention Days" then  data ingestion more on index 
and as menioned by @GaetanVP  maxTotalDataSizeMB has presencede over frozenTimePeriodInSecs.

in that case you may need to increase the disk space 

----
Regards,
Sanjay Reddy

----
If this reply helps you, Karma would be appreciated.

Thanks @SanjayReddy , I ran the script and see following details:

This issue is not specific to one index but with almost all has oldest data of 270 days.