Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Theres is a limit by source on index?

henrym22
New Member
‎04-06-2016 07:13 PM

I have an index "main" and several sources associated with this index. The size limit of the index has been reach (150MB), but when I look for the earliest event, there is a difference between the sources.

Exemple:
source1 - first time event is August/2015 (50005771 events)
source2 - first time event is January/2016 (127797272 events)
source3 - first time event is March/2016 (982610866 events)
source4 - first time event is March/2016 (60681838 events)

To get the first time event I used the search bellow.

| metadata type=sources index=main | convert ctime(firstTime) | convert ctime(lastTime) | convert ctime(recentTime)

Why Splunk doesn't index the data since August/2015 for source 2, 3 and 4? The sources shouldn't have the same first time event?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-06-2016 09:44 PM

Splunk freezes data from your index by whole buckets based on the youngest event in the bucket, so the tail end of your index has a "fuzzy edge". Depending on what bucket data from what source is in, some data from source1 may be retained for much longer than some other data from source2.

I'm guessing there is a bucket with some old data from source1 and some newer data, so the newer data in the bucket stops the bucket from being frozen until other buckets with older youngest events are frozen first.

View solution in original post

Reply
Solved! Jump to solution

renanprado96
Path Finder
‎04-07-2016 06:05 AM

There are no limits to sources in the index.
I never had a problem with it.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-06-2016 09:44 PM

Splunk freezes data from your index by whole buckets based on the youngest event in the bucket, so the tail end of your index has a "fuzzy edge". Depending on what bucket data from what source is in, some data from source1 may be retained for much longer than some other data from source2.

I'm guessing there is a bucket with some old data from source1 and some newer data, so the newer data in the bucket stops the bucket from being frozen until other buckets with older youngest events are frozen first.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-08-2016 01:18 AM

Makes sense, hot buckets don't get frozen. First they need to roll to warm, either after a restart, when the bucket size is reached, when the bucket span is reached, or when too many hot buckets are open.

0 Karma
Reply
Solved! Jump to solution

henrym22
New Member
‎04-07-2016 04:51 PM

Thank you for your answer.

Using the search bellow I was able to find out the bucket ID with the old data. It is a hot bucket.

index=myindex | eval BID = replace(_cd, "(\d+):\d+", "\1") | top BID
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...