Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the naming convention behind the db_ buckets?

Chris_R_
Splunk Employee
Splunk Employee
‎03-04-2010 01:25 AM

What's the naming convention on these directories(buckets) and where can i find more info on tuning my splunk buckets?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-04-2010 03:11 AM

The buckets are named:

db_latesttime_earliesttime_idnum

where latesttime is the time stamp of the latest event in the bucket, earliesttime is the time stamp of the earliest event in the bucket, and idnum is an ID number that must be unique within the database across all buckets in the database.

Splunk uses the time numbers to decide whether to look in a bucket at all for events in a given time span. If you narrow these numbers, then events that are in the bucket but outside the new time range will not be returned in search. If you widen them, Splunk will waste time looking in the bucket for events it will never find.

ID numbers matter if you are merging databases or restoring buckets from an archive, and you must ensure that every bucket has a unique ID after any merge. Although ID numbers are generated sequentially by normal Splunk indexing, they do not have to be sequential, nor can you count on them remaining unchanged. A simple way to ensure unique IDs would be to append a distinct digit (or series of digits) to buckets from each specific source, so that buckets from different sources could not possibly match on their last digit.

In general, you should not tune bucket sizes without extensive and deep knowledge of how indexing and searching operates. Most changes from the standards will result in decreased search performance over that data, sometimes enormously decreased, and will extremely rarely result in any noticeable improvements. Use auto or auto_high_volume, and accept or copy defaults for most parameters.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-04-2010 03:11 AM

The buckets are named:

db_latesttime_earliesttime_idnum

where latesttime is the time stamp of the latest event in the bucket, earliesttime is the time stamp of the earliest event in the bucket, and idnum is an ID number that must be unique within the database across all buckets in the database.

Splunk uses the time numbers to decide whether to look in a bucket at all for events in a given time span. If you narrow these numbers, then events that are in the bucket but outside the new time range will not be returned in search. If you widen them, Splunk will waste time looking in the bucket for events it will never find.

ID numbers matter if you are merging databases or restoring buckets from an archive, and you must ensure that every bucket has a unique ID after any merge. Although ID numbers are generated sequentially by normal Splunk indexing, they do not have to be sequential, nor can you count on them remaining unchanged. A simple way to ensure unique IDs would be to append a distinct digit (or series of digits) to buckets from each specific source, so that buckets from different sources could not possibly match on their last digit.

In general, you should not tune bucket sizes without extensive and deep knowledge of how indexing and searching operates. Most changes from the standards will result in decreased search performance over that data, sometimes enormously decreased, and will extremely rarely result in any noticeable improvements. Use auto or auto_high_volume, and accept or copy defaults for most parameters.

Reply
Solved! Jump to solution

znaesh
Path Finder
‎04-10-2018 03:32 AM

And the bucket number should really only contain digits, no literals, and field length is limited.

0 Karma
Reply
Solved! Jump to solution

Chris_R_
Splunk Employee
Splunk Employee
‎03-04-2010 01:25 AM

These are your warm buckets in each index stored in UTC epoch seconds db_#

If your using the default splunk index buckets will be stored in
$SPLUNK_HOME/var/lib/splunk/defaultdb/db

Each index has a number of warm buckets which is specified in your indexes.conf ( Defaults to 300) By default, Splunk sets the bucket size to 10GB for 64bit systems and 750MB on 32bit systems.

For further info on backup, retirement, and archiving best practices see:

http://www.splunk.com/wiki/Deploy:UnderstandingBuckets
http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Setaretirementandarchivingpolicy
http://www.splunk.com/wiki/Deploy:BestPracticesForBackingUp#How_data_moves_through_Splunk

Reply
Solved! Jump to solution

-T
Observer
‎12-28-2022 10:58 AM

@Chris_R_ FYSA all 3 of your urls no longer work.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...