Splunk Search

Is search performance affected by number of warm buckets?

DDerck
New Member

I would like to know if search performance could be increased by moving buckets from warm to cold?
My main index contains approx 4,500,000,000 events, with the oldest from Nov 2013 and is composed of around 235 buckets.

Will I gain anything if I move buckets to cold state?

0 Karma

Yasaswy
Contributor

Hi, This will depend on kind of searches that will run:

If most of your searches access only few weeks or few months of data, then moving "older" data/buckets to cold will result in search performance improvement as there is now less data to search through. If the searches use /need to access all the historical data, then moving data to cold will negatively impact your searches... as the searches will now have to fetch data from cold buckets.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...