G'day, Hot buckets are created when data is ingested into Splunk. Hot buckets are rolled to warm when one of the following occurs. "MaxDataSize" limit is reached - The maximum size, in megabytes, that a hot bucket can reach before splunkd triggers a roll to warm. Lifetime of the hotbucket is older than "maxHotSpanSecs" Manual rollover of Hot bucket Indexer restart With MaxDataSize set to auto (750MB) and maxHotSpanSecs set to 86400(1 Day) they should roll over as you require (assuming the bucket size is ~20-30MB). Are you able to send through what you have configured in you indexes.conf (Both global and per index). *EDIT* I missed your title statement "maxHotSpanSecs of 1h" - You need to roll every hour? maxHotSpanSecs would need to be configured as 3600 (1 Hour). Please note 3600 is the minimum setting for maxHotSpanSecs Either way let me know/send through your current config Regards theTech
... View more