Splunk Enterprise Security

Is there any way to know about hot warm cold frozen buckets lifespan from Splunk GUI?

yourfriend
Loves-to-Learn

Hello Splunk team, I have two doubts please help me with details,

1. We are using Splunk cloud platform for Enterprise security. Is there any way to know the time span of buckets for how many days we have configured. For example Hot - 90 days Warm- 90 days like this data how to get to know from Splunk GUI, I have used "| dbinspect" in search query but I am unable to get the timing for how many days we have kept Hot, warm etc., 

2. While using a search query we can see the time range "All Time", so here what does it actually mean. Is this mean from when we have configured Splunk or from when logs got ingested or else only the Hot & Warm buckets database data.

Thanks in advance for letting me know the details.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

1.  Why does it matter?  Your contract with Splunk calls for a certain number of days of storage (typically, 90).  Splunk manages that for you.  How it breaks down between hot and warm doesn't affect how you search.

2. "All Time" means from your earliest event until the newest event.  Depending your data, the earliest event could pre-date when you installed/configured Splunk.  "All Time" searches are discouraged in Splunk Cloud because they can cause a lot of cache thrashing.

---
If this reply helps you, Karma would be appreciated.
0 Karma

yourfriend
Loves-to-Learn

@richgalloway 
Yes of course ! It doesn't matter to me while we are using cloud. But I was curious to see how many our Splunk team has maintaining. This was out of curiosity I have asked. 

So, Is there anyway to know how many days kept for Hot, Warm buckets.?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can get a feel for how long your hot buckets have been around by using dbinspect.

| dbinspect index=* 
| eval age=(endEpoch - startEpoch)/86400 
| stats sum(age) as age by index

In Splunk Cloud, the dbinspect command only shows hot buckets since warm buckets are in SmartStore.  You can be pretty sure, however, that warm buckets are about the same size as hot buckets.

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

addition to item 1. What I have understood is that all Splunk Cloud instances are currently using SmartStore to store all than how buckets. And as instances are from iXX.xxxx  all hot buckets has stored into local nvme disks. Size and amount of those instances and local nvme disks are based on your current license. As @richgalloway said, it's splunk issue to get this working according your license.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...