Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Question regarding small buckets warning

ernest825
Engager
‎08-25-2020 07:37 AM

So I'm getting the notice regarding small buckets on an index, 100% small buckets on one particular index. Now this index is a summary index that only gets a small volume of new records every day. So it makes sense that the buckets never get large before they're rolled to warm.

Now for various reason we want to keep this data separate from other indexes, mainly this summary data will live forever whereas  other indexes are set for a limited retention period.

The index is tiny, current size is 8MB and it's holding summary info for the past 8 months, 7 small buckets so far this year.

I have two questions:
1) since this is a small index do I have to worry about it only having small buckets?
2) Assuming having just small buckets in this particular index doesn't cause any major performance problem for the system overall how do I turn off the alert for this one index?

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-25-2020 07:55 AM

Hi

I'm not suppose that this is a issue. You could just ignore those warnings.

If you want you maybe could try to extend the 

maxHotSpanSecs

but as it's default is 90 days then it's quite obvious that reason for rolling those buckets from hot to warm is something else.

r. Ismo 

Reply

ernest825
Engager
‎08-29-2020 04:33 AM

Thanks for your reply @isoutamo.

Ignoring the warning is what we've been doing until now. It's not something I like doing because sooner or later it may result in some other warning being ignored. Looks like in this case we have no choice.

One thing that I didn't mention in my original post was that we've been using the fill_summary_index.py script to fill in gaps in the summary index and I think that might have created extra buckets resulting eventually in more buckets being rolled after 90 days.  And of course there's restarts every so often for OS patching, etc. I doubt that the buckets would become anything other than small even if we doubled maxHotSpanSecs.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-29-2020 05:01 AM
Yes, I suppose so. And totally agree with you that there shouldn't be any warnings on logs if it's possible to avoid. Sooner or later those usually changes to errors 😞
r. Ismo
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...