Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Question regarding small buckets warning

ernest825
Engager
‎08-25-2020 07:37 AM

So I'm getting the notice regarding small buckets on an index, 100% small buckets on one particular index. Now this index is a summary index that only gets a small volume of new records every day. So it makes sense that the buckets never get large before they're rolled to warm.

Now for various reason we want to keep this data separate from other indexes, mainly this summary data will live forever whereas  other indexes are set for a limited retention period.

The index is tiny, current size is 8MB and it's holding summary info for the past 8 months, 7 small buckets so far this year.

I have two questions:
1) since this is a small index do I have to worry about it only having small buckets?
2) Assuming having just small buckets in this particular index doesn't cause any major performance problem for the system overall how do I turn off the alert for this one index?

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-25-2020 07:55 AM

Hi

I'm not suppose that this is a issue. You could just ignore those warnings.

If you want you maybe could try to extend the 

maxHotSpanSecs

but as it's default is 90 days then it's quite obvious that reason for rolling those buckets from hot to warm is something else.

r. Ismo 

Reply

ernest825
Engager
‎08-29-2020 04:33 AM

Thanks for your reply @isoutamo.

Ignoring the warning is what we've been doing until now. It's not something I like doing because sooner or later it may result in some other warning being ignored. Looks like in this case we have no choice.

One thing that I didn't mention in my original post was that we've been using the fill_summary_index.py script to fill in gaps in the summary index and I think that might have created extra buckets resulting eventually in more buckets being rolled after 90 days.  And of course there's restarts every so often for OS patching, etc. I doubt that the buckets would become anything other than small even if we doubled maxHotSpanSecs.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-29-2020 05:01 AM
Yes, I suppose so. And totally agree with you that there shouldn't be any warnings on logs if it's possible to avoid. Sooner or later those usually changes to errors 😞
r. Ismo
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...