@coltwanger is actually right on this. The maxHotSpanSecs and maxHotIdleSecs won't kick in until the idle time gap between the last most recent event arriving at the hot bucket and the newly arriving event exceeding the value defined. Hence if events are constantly coming into the hot bucket, it won't roll even maxHotSpanSecs/maxHotIdleSecs set to 1hr/1day etc.
maxHotSpanSecs =
* Upper bound of timespan of hot/warm buckets in seconds.
* NOTE: If you set this too small, you can get an explosion of hot/warm
buckets in the filesystem.
* NOTE: If you set maxHotBuckets to 1, Splunk attempts to send all
events to the single hot bucket and maxHotSpanSeconds will not be
enforced.
* If you set this parameter to less than 3600, it will be automatically
reset to 3600.
* This is an advanced parameter that should be set
with care and understanding of the characteristics of your data.
* Highest legal value is 4294967295
* Defaults to 7776000 seconds (90 days).
* Note that this limit will be applied per ingestion pipeline. For more
information about multiple ingestion pipelines see parallelIngestionPipelines
in server.conf.spec file.
* With N parallel ingestion pipelines, each ingestion pipeline will write to
and manage its own set of hot buckets, without taking into account the state
of hot buckets managed by other ingestion pipelines. Each ingestion pipeline
will independently apply this setting only to its own set of hot buckets.
* NOTE: the bucket timespan snapping behavior is removed from this setting.
See the 6.5 spec file for details of this behavior.
maxHotIdleSecs =
* Provides a ceiling for buckets to stay in hot status without receiving any
data.
* If a hot bucket receives no data for more than maxHotIdleSecs seconds,
Splunk rolls it to warm.
* This setting operates independently of maxHotBuckets, which can also cause
hot buckets to roll.
* A value of 0 turns off the idle check (equivalent to infinite idle time).
* Highest legal value is 4294967295
* Defaults to 0.
Feedback from engineering:
"maxHotSpanSecs would be of lesser priority from the default settings within indexes.conf. We'd like to make sure first that we don't make too many small buckets so we'd prefer to "expand" a hot bucket time range rather than be strict with it. "
"There is no rule about rolling to warm when exceeding the maxHotSpanSecs. We roll a bucket to warm because it's been idle too long, we've reached maxHotBuckets (-1 if no quarantine bucket) or a bucket has reached a certain size in disk."
"If we cannot find a bucket with the correct time range for an event, we find the next best bucket and expand that range. To check that we still honor the maxHotSpanSecs without the influence of the above behavior"
... View more