Apologies for seeing this post so late. Hopefully the response can still be of help to others. There is a default bucket count for merging, but that is overridden by the --max-count=1000 parameter specified. There could be various reasons for not merging more buckets: 1) The time span for a bucket is defaulted to 7776000secs (90 days). If the buckets are very spread out, the buckets may not be large enough to be merged to meet the min-size of 1MB that was specified (--min-size=1) 2) Only warm buckets can be merged. Cold, hot and frozen buckets cannot be merged. The count of 300 is most likely due to this parameter maxWarmDBCount. The default is only 300 warm buckets. Once exceeded, Splunk will roll the warm buckets to cold, and you will not be able to merge them. For your test, you can change this to a really large number. maxWarmDBCount = <nonnegative integer> * The maximum number of warm buckets. * Warm buckets are located in the 'homePath' for the index. * If set to zero, splunkd does not retain any warm buckets It rolls the buckets to cold as soon as it is able. * Splunkd ignores this setting on remote storage enabled indexes. * Highest legal value is 4294967295. * Default: 300 This is the link to the official docs. https://docs.splunk.com/Documentation/Splunk/9.0.1/Troubleshooting/CommandlinetoolsforusewithSupport I would recommend also adding the following parameters --dryrun and --debug.   ~/splunk/bin/splunk merge-buckets --index-name=testbuckets2 --min-size=1 --max-count=1000 --dryrun --debug     ... View more