Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Configure timespan bucket
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configure timespan bucket
Hi guys,
I have to configure the timespan to roll data to warm, cold and frozen.
The question is:
How can configure timespan to roll from hot to warm?
And from warm to cold? And from cold to frozen?
This configurations must be done in each index in indexes.conf?
I read the http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/Configureindexstorage and http://docs.splunk.com/Documentation/Splunk/6.5.2/admin/Indexesconf document but I only found frozenTimePeriodInSecs not like "hotTimePeriodInSecs"
Thank you so much guys!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is how the data buckets roll in Splunk
first stage: hot bucket
Data is actively written and searched in hot buckets. There can be maxHotBuckets number hot buckets written at a time. When one of following condition happens, hot bucket rolls to warm bucket
1) splunkd restart
2) bucket reaches size defined by maxDataSize
3) bucket reaches age defined by maxHotSpanSecs
second stage: warm bucket
Data is NOT written but actively searched. There can be maxWarmDBCount in the homePath directory. They roll to cold if
1) maxWarmDBCount exceeds
2) homePath/volume size limit exceeds
third stage: cold
Read-only and considered not actively searched. This rolls to frozen if age of all events in the cold bucket exceeds frozenTimePeriodInSecs or total index size exceeds maxTotalDataSizeMB.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi somesoni2
Tks for your response.
I understand. But I have to configure maxHotSpanSecs in which sector of the indexes.conf? In each index stanza or in "index specific defaults"
Other point: warm bucket to cold bucket do I have maxWarmSpanSecs too?
Thanks again ma friend.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just be careful with maxHotSpanSecs with its default of 7776000 - 90 days! one major objective is to have fewer buckets as possible and this value helps in this regard. If you reduce it and the flow of data into this index is relatively low, you can create lots of small buckets, that the OS might not like.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can put in default, which would make it valid for all index that do not have a different value configured in their own stanza.
There is no maxWarmSpanSecs at all. They on roll when one of the above mentioned criterias is fulfilled.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
