Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Too many buckets - can I somehow merge them?

tkiss
Path Finder
‎10-18-2014 01:49 AM

Hi all,

In a 4 indexer cluster, where there are 60 individual indexes I happen to have 40.000+ buckets now (data is back from years). I assume this could cause some performance issues. Can you confirm this?

If yes, is there a way to somehow optimize the count of buckets? Merge buckets in the same index, eg: 10 buckets will become 1.

Using Splunk 6.1.4.

Thanks,
Tamas

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-18-2014 11:02 AM

This should not cause performance problems. It's possible that if you have tens of thousands of buckets in an individual directory, some older filesystems (e.g., ext3) may start hitting performance limits, but you're right now at an average of only 40000/(4x6) = 167 per directory, or even less if they are spread to a cold directory. Newer filesystems (e.g., ext4, XFS, NTFS) also avoid this.

You can't easily merge buckets, but you should make sure going forward that your indexes are set to a maxDataSize (max bucket size) of at least auto_high_volume (10 GB), and not auto (750 MB) to make sure they are not unnecessarily small.

View solution in original post

Reply
Solved! Jump to solution

peppi
Explorer
‎10-22-2021 10:34 PM

Hi,

looks like something like that was implemented:

https://docs.splunk.com/Documentation/Splunk/8.2.2/Troubleshooting/CommandlinetoolsforusewithSupport...

0 Karma
Reply
Solved! Jump to solution

tkiss
Path Finder
‎10-20-2014 01:00 AM

Thanks to both of you, currently I'm not seeing any performance impact - I'm just trying to be proactive here. maxDataSize is indeed set to auto_high_volume, anyway thanks for the tip!

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-18-2014 11:02 AM

This should not cause performance problems. It's possible that if you have tens of thousands of buckets in an individual directory, some older filesystems (e.g., ext3) may start hitting performance limits, but you're right now at an average of only 40000/(4x6) = 167 per directory, or even less if they are spread to a cold directory. Newer filesystems (e.g., ext4, XFS, NTFS) also avoid this.

You can't easily merge buckets, but you should make sure going forward that your indexes are set to a maxDataSize (max bucket size) of at least auto_high_volume (10 GB), and not auto (750 MB) to make sure they are not unnecessarily small.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-18-2014 09:51 AM

1000 buckets per index doesn't sound horrible to me. Are you actually seeing performance issues or are you just worried about the numbers?

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...