Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timestamps and buckets

PickleRick
SplunkTrust
SplunkTrust
‎10-13-2021 08:52 AM

Please confirm something or correct me.

If I understand correctly, it's the event's _time that's the basis for bucket ageing (hot->warm->cold(->frozen)), right?

I understand that it's typically designed this way for collecting event which have monotonicaly "growing" time. But what would happen if my source (regardless of the reason) generated events with a "random" timestamp? One could be from an old past (several years, maybe?), another from the future and so on. Would it mean that I'd have a chance to roll the buckets after just one or two events because I'd have sufficiently old events or sufficiently  big timespan in case of hot buckets?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2021 10:53 AM

You are correct that _time is used to put events into buckets.

Events with timestamps outside a specified range are put into "quarantine" buckets.  A quarantine bucket is a separate hot bucket that counts toward the maxHotBuckets limit.  The time range for quarantine is set by quarantinePastSecs and quarantineFutureSecs in indexes.conf.  I imagine it's possible for a quarantine bucket with a single event in it to eventually roll to warm.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2021 10:53 AM

You are correct that _time is used to put events into buckets.

Events with timestamps outside a specified range are put into "quarantine" buckets.  A quarantine bucket is a separate hot bucket that counts toward the maxHotBuckets limit.  The time range for quarantine is set by quarantinePastSecs and quarantineFutureSecs in indexes.conf.  I imagine it's possible for a quarantine bucket with a single event in it to eventually roll to warm.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-13-2021 11:14 AM

Ahhh. That's the information lacking in the training 😉

Thanks for supplementing my knowledge 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...