This is a change which is made on the indexer/Search head. I don't think forwarders have an indexes.conf file. ... View more

Yes, the issues are still resolved, for months now. I haven't seen the warning again. The main cause of this issue is most likely going to be because the timestamps on the data you are feeding in are all over the place. Splunk wants to be mostly chronological, so the buckets contain data from a certain window of time. For example, if your max buckets was set to say 3, and they will hold data from 6 hour windows, and you are feeding in data which is within an 18 hour window, things will be fine, as it can put it in the appropriate 6 hour bucket. If you then give it some data with a random time from outside that 18 hour window, it doesn't have a bucket to put it in. This will cause it to force close/roll one of the hot buckets early, and create a new bucket for the "random" data. If you then resume giving it data from within the 6 hour window of the hot bucket which was just force rolled to warm in order to create the hot bucket for the random data, now you're back to the same issue; Splunk doesn't have a bucket to put it in. This will cause a repeat of the "roll hot to warm; create new bucket" process, on one of the other buckets, causing it to roll early. Warm buckets cannot be rolled back to hot buckets, Splunk only creates new ones, so if you keep feeding it data with timestamps all over the place, outside of the window of time it has buckets for, it's going to cause buckets to have to be rolled early and new, overlapping ones created constantly, which is what causes this issue. As I said above, the 2 things which fixed it for me was to perform searches of data "from the future", which identified data sources that were in GMT/UTC vs GMT-5/-6/-7 (where my sources actually are), and to fix the timezone of the timestamps at the source, (or by making sure props.conf contains parser definitions for your specific data sources in order to mangle them to the correct timezone), and also by increasing the maximum hot buckets Splunk is allowed to juggle at once, in my case from 3 to 5. Just increasing the max buckets may "fix" the issue, but now you're potentially going to end up with records that are incorrectly timestamped all over the place, and your queries won't even find/return them, since they will be in buckets which don't get searched as they are outside the time frame your query is looking in. ... View more

The search is literally "*" and then the date time range set to the future. ... View more

Hi Julian, Yes, as my reply above says, we resolved this issue. It was mainly fixed by running a search to show us events "from the future" (eg "*" using date/time range between half an hour or so in the future and say a week in the future) , in order to identify the data sources which were configured and/or had datestamps being parsed incorrectly (eg UTC/GMT being parsed as 5 hours in the future, since we are in EST/UTC-5), and then fixing all of these to return correct/sane values, and also by increasing our hot buckets for the indexer DB, which had been set to 3 (I think I set it to 5), and finally restarting Splunk. It's been a couple of weeks now and the warning has not returned. ... View more

Even using your app, and looking in the log files, I couldn't find any evidence that it was actually creating 60% new buckets each hour as it claimed to be. I modified the /opt/splunk/etc/system/local/indexes.conf file and added the following to turn the internal buckets up to 5, from 3: [_internal] homePath = $SPLUNK_DB/_internaldb/db coldPath = $SPLUNK_DB/_internaldb/colddb thawedPath = $SPLUNK_DB/_internaldb/thaweddb maxHotBuckets=5 After a restart it's now showing green and has stayed that way for about 20 hours now. ... View more

See the other thread which is pretty much a duplicate of this one, here: https://answers.splunk.com/answers/701550/health-status-the-percentage-of-small-of-buckets-c.html#answer-717593 Long story short is that the issue is caused by data which is arriving out of chronological order, caused by timezone parsing or sending issues, which needs to be fixed by modifying your timezone parsers, and/or reconfiguring the sending systems to include TZ offset, or the props.conf to specify the TZ of each source. ... View more

I too opened a case with Splunk regarding this, and we identified that the cause was due to both problems with the timezone parsing causing Splunk to think that events were months in the future, and also due to the source systems being in different timezones, and some sending records with timestamps in the local (eg EST, CST, MST) tz, and others sending UTC, so it appeared to be 5 hours in the future. The months in the future issues were fixed by modifying the timestamp parsers for those records, the timezone offset issue I am still trying to work our how to solve. ... View more