To find out where something is configured, run this from the Splunk home path on the CLI:

./bin splunk cmd btool indexes list your_index --debug

I had run into something like this before and adjusted my maxWarmDBCount to several thousand (default 300). That helped before when I was losing buckets fast (small cold retention, then freezing and rolling off). Running on 6.2.3.

Now I am seeing a very occasional bucket move to cold which is fine for now but I do not see why it is happening. I have plenty of space and my maxWarmDBCount update is still there:
./splunk cmd btool indexes list | grep -A30 | grep maxWarmDBCount
Is there some need to distinguish hot and warm settings? They are in the same index homes for me (volume:hot:*).

That froze a cold bucket, maybe because of the cold volume size.

Martin, I think so. I'm uncovering a few things here.

One my coldb volume had a max size of of 20MB (20), which means this at a size of 504MB could not have been written and thus just deleted..

The other issue that I'm seeing and trying to fix is that this particular index has a different cold Path set inside the GUI (I can't find where it's been written to a file and I can't change it's location in the GUI, sooo). The other indexes not showing this issue have the standard default cold path specified, so that data is being put into cold storage but not deleted. The lack of volume space set on the impacted indexes are causing this to roll from warm to frozen (deleted), vs to cold..

So now I need to figure out where splunk is holding this colddb path for a couple of my indexes that are not the default and change them, I may just have to add the index config into the indexes.conf file. bahhh..

Thanks for the assistance, def got me looking in different places
Tory

Ahh thanks

04-21-2015 14:54:06.305 -0700 INFO BucketMover - idx=t_activity Moving bucket='db_1427847473_1427843268_6051' because maximum number of warm databases exceeded, starting warm_to_cold: from='/splunkdata/t_activity/db' to='/mounts/splunk_cold/t_activity/colddb'

So is this a clue? I'm wondering why it's moving from warm to cold anyways, do I not have enough buckets allocated for hot/warm? I have nothing in my configs so would think it would be using the 6 year rule. So now what 🙂 And thanks!

Okay I bumped bucket size to 3000, however I'm not seeing any data in my colddb directory actually ..

Plan to move COLD bucket|dir with LT=1425602427, path=/mounts/splunk_cold/torque/colddb/db_1425602427_1425592226_1507, reductionSize=526540800 (502MB)
04-21-2015 11:57:28.505 -0700 INFO BucketMover - AsyncFreezer freeze succeeded for bkt='/mounts/splunk_cold/torque/colddb/db_1425602427_1425592226_1507'
04-21-2015 16:20:43.386 -0700 INFO databasePartitionPolicy - idx=torque, Initializing, params='[3000,period=60,frozenTimePeriodInSecs=188697600,coldToFrozenScript=,coldToFrozenDir=,warmToColdScript=,maxHotBucketSize=786432000,optimizeEvery=5,syncMeta=true,maxTotalDataSizeMB=500000,maxMemoryAllocationPerHotSliceMB=5,addressCompressBits=5,isReadOnly=false,maxMergizzles=6,signatureBlockSize=0,signatureDatabase=_blocksignature,maxHotSpanSecs=7776000,maxMetadataEntries=1000000,maxHotIdleSecs=0,maxHotBuckets=3,quarantinePastSecs=77760000,quarantineFutureSecs=2592000,maxSliceSize=131072,serviceMetaPeriod=25,partialServiceMetaPeriod=0,throttleCheckPeriod=15,homePath_maxDataSizeBytes=0,coldPath_maxDataSizeBytes=0,compressionLevel=-1,fsyncInterval=18446744073709551615,maxBloomBackfillBucketAge_secs=2592000,enableOnlineBucketRepair=true,maxUnreplicatedMsecWithAcks=60000,maxUnreplacatedMsecNoAcks=300000,alwaysBloomBackfill=false,minStreamGroupQueueSize=2000,streamingTargetTsidxSyncPeriodMsec=5000,repFactor=0,hotBucketTimeRefreshInterval=10]' isSlave=false needApplyDeleteJournal=false