Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can't I set maxHotBuckets > 10 ?

the_wolverine
Champion
‎04-07-2011 04:41 PM

We have an index that receives a lot of events resulting in buckets with 2 hour spans. I initially figured I would give this index 20 hot buckets by setting maxHotBuckets = 20 in indexes.conf.

After seeing the following message in splunkd.log, I think this actually caused issues on my indexer:

04-06-2011 21:13:13.505 INFO  HotDBManager - flushing db: $SPLUNK_DB/defaultdb/db/hot_v1_XXXX (max=10, count=11 )

When I set the value back to 10 hot buckets, the INFO message went away. Is this intentional to not allow > 10 hot buckets? And what is the reasoning?

Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎10-19-2011 08:03 PM

There hasn't been a response to this question. If you encounter the same issue I suggest filing a support ticket.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎10-19-2011 08:03 PM

There hasn't been a response to this question. If you encounter the same issue I suggest filing a support ticket.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎04-07-2011 11:27 PM

Could someone look into this and let me know whether this is a bug? However, based on Vishal's response, it appears that the behavior I'm seeing is unintended (= Bug).

0 Karma
Reply
Solved! Jump to solution

Vishal_Patel
Splunk Employee
Splunk Employee
‎04-07-2011 04:45 PM

wolverine, that message is not an ERROR, it is simply an INFO message stating that we are going to roll this bucket since it has exceeded maxHotBuckets count.

Please do the following to diagnose why it isn't set to 20:

% splunk cmd btool indexes list main

and verify that the maxHotBuckets is indeed set to 20, if not, you have a conf loading issue

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎08-22-2011 10:58 PM

Still waiting for a response 5.5 months later.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎04-07-2011 07:57 PM

I have verified that the update to indexes.conf is being loaded correctly per the command you provided, Vishal.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎04-07-2011 05:46 PM

Pardon my nomenclature! I've updated my post to reflect this. What do I do once I confirm that this is a conf loading issue? Note that the INFO message went away after I changed my maxHotBuckets count to 10.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...