homePath = volume:cold/_internaldb/db Are you sure you want your hot data on the cold volume? Anyway, you have small buckets, which is relatively rare for a Splunk installation and it skews your ob...
See more...
homePath = volume:cold/_internaldb/db Are you sure you want your hot data on the cold volume? Anyway, you have small buckets, which is relatively rare for a Splunk installation and it skews your observations. There is no guarantee that the limits will be enforced precisely. Anyway, it works like this - every now and then (I don't remember the exact interval; you can find it in servers.conf) the housekeeping thread wakes up and checks the indexes. If a hot bucket triggers criteria (bucket size, inactivity time and so on), it is rolled to warm. If warm buckets for index trigger cirteria (number of warm buckets per index), oldest bucket for an index (in terms of most recent event in the bucket) is rolled to cold. If hot/warm volume exceeds size, oldest bucket for the whole volume is rolled to cold. If cold buckets for index trigger criteria (retention time, data size), oldest bucket is rolled to frozen If cold volume exceeds size, oldest bucket for the whole volume is rolled to frozen. That's how it's supposed to work.