Deployment Architecture

How do I extend/increase the all buckets size in Splunk by Time period (Days)?

saibal6
Path Finder

Hi Everyone,

I have gone through some Splunk documents about buckets. But most of the time I have seen that everyone discusses how to increase/extend the size of any bucket by Size means either MB/GB, which is converted in mb format.

But my concern is I want to increase/extend my buckets by Days format (example : I want to store my last 60 days data in my hot bucket). I know that I have to convert the days to minutes value and then use that in abucket configuration. But I didn't find any proper example in Splunk.

Can anyone help me on this or any good documentation with a proper example? It'll be very helpful for me.

Thanks,
Saibal6

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Thank you for asking, because you saved yourself from disaster.

NO, you do not want to store 60 days in a "hot" bucket.

Store hot and warm in the same place, and roll your hot buckets frequently. There is no sensible reason to attempt to keep a single bucket hot for any given length of time. Hot just means that it is the one current bucket of that type that is open for writing. Warm buckets are just as fast to access, possibly SLIGHTLY faster since they aren't being updated much. Every time that Splunk is restarted, or any of a number of other things happen, the hot buckets will roll to warm, and new hot buckets will be created.

You WANT this to happen.

A bucket cannot move from warm to cold until the last event in the bucket has aged sufficiently. (Or you run out of hot/warm space.) If your buckets are HUGE, then all those events have to roll from warm to cold at the same time. Splunk has no choice.

If, on the other hand, the buckets are reasonably sized, then Splunk can retire data at a reasonable rate.

Start with the planning calculator here to figure out your storage needs. https://splunk-sizing.appspot.com/

That will suggest for you a set of pre-built stanzas to start with. Change them only if you have a good reason.

0 Karma

RHASQaL
Path Finder

Have you looked at the set a retirement and archiving policy documentation?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...