Getting Data In

Why is the size of one of our indexes decreasing instead of increasing?

pavanae
Builder

In settings/indexes, one of the indexes was set to 34,000 mb as maximum size. However, I observed that the current size in mb is around 3000 mb from the past 2 months . In some cases, I even noticed below 3000 mb, even though a lot of data was coming in each and every day. I don't understand why the current size in mb is not increasing. Instead, it's decreasing and staying around 3000 mb. Could anyone tell me what could be the reason?

Tags (2)
0 Karma
1 Solution

pavanae
Builder

That's due to the Frozen bucket size is very less.. After increasing the bucket size. resolved the issue.

View solution in original post

0 Karma

pavanae
Builder

That's due to the Frozen bucket size is very less.. After increasing the bucket size. resolved the issue.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

It would also help if you post the stanza for that index in indexes.conf. Do you have other "custom" settings other than the maxTotalDataSizeMB setting?
If you want to see where all the buckets are and when they rolled... you'll want to install the Fire Brigade 2 App (and add-on).

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Do run this and post its output:

$SPLUNK_HOME/bin/splunk cmd btool indexes list --debug that_index | grep -v system/default

Additionally, run this search to see if buckets were being moved anywhere:

index=_internal BucketMover

dolivasoh
Contributor

I think Martin is right here. Looks like you're simply rolling buckets.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...