Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does merge-buckets only merge up to 300 buckets?

schose
Builder
‎05-23-2022 06:11 AM

Hi all,

I'm checking out the "merge-buckets" command. I created an index with 1000 events per bucket. in sum my index have 

 

~/splunk/bin/splunk search "| dbinspect index=testbuckets2 | stats count"
count
-----
5479

 

 

buckets.

 

~/splunk/bin/splunk merge-buckets --index-name=testbuckets2 --min-size=1 --max-count=1000 
Using the following config: --max-count=1000 --min-size=1 --max-size=1000 --max-timespan=7776000
Found (300) buckets to merge.

Starting to merge (300) buckets. Number of buckets already merged: 0/300 (0.00%).
New Bucket:
/Users/andreas/splunk/var/lib/splunk/testbuckets2/db/db_1653310364_1653310268_17359

Number of buckets merged: 300/300 (100.00%).
Number of buckets created: 1.
Time taken: 27 seconds, 21 milliseconds

 

 

after the operation i see 299 buckets less

 

~/splunk/bin/splunk search "| dbinspect index=testbuckets2 | stats count"

count
-----
5180

 

 

running merge-bucket a second time doesn't merge any further buckets.  It seems there is a hardcoded limit of 300 buckets?! any good reason for this?

best regards,

Andreas

Labels (2)
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!