Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Question regarding small buckets warning

ernest825
Engager
‎08-25-2020 07:37 AM

So I'm getting the notice regarding small buckets on an index, 100% small buckets on one particular index. Now this index is a summary index that only gets a small volume of new records every day. So it makes sense that the buckets never get large before they're rolled to warm.

Now for various reason we want to keep this data separate from other indexes, mainly this summary data will live forever whereas  other indexes are set for a limited retention period.

The index is tiny, current size is 8MB and it's holding summary info for the past 8 months, 7 small buckets so far this year.

I have two questions:
1) since this is a small index do I have to worry about it only having small buckets?
2) Assuming having just small buckets in this particular index doesn't cause any major performance problem for the system overall how do I turn off the alert for this one index?

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-25-2020 07:55 AM

Hi

I'm not suppose that this is a issue. You could just ignore those warnings.

If you want you maybe could try to extend the 

maxHotSpanSecs

but as it's default is 90 days then it's quite obvious that reason for rolling those buckets from hot to warm is something else.

r. Ismo 

Reply

ernest825
Engager
‎08-29-2020 04:33 AM

Thanks for your reply @isoutamo.

Ignoring the warning is what we've been doing until now. It's not something I like doing because sooner or later it may result in some other warning being ignored. Looks like in this case we have no choice.

One thing that I didn't mention in my original post was that we've been using the fill_summary_index.py script to fill in gaps in the summary index and I think that might have created extra buckets resulting eventually in more buckets being rolled after 90 days.  And of course there's restarts every so often for OS patching, etc. I doubt that the buckets would become anything other than small even if we doubled maxHotSpanSecs.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-29-2020 05:01 AM
Yes, I suppose so. And totally agree with you that there shouldn't be any warnings on logs if it's possible to avoid. Sooner or later those usually changes to errors 😞
r. Ismo
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...