Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to total the buckets that will roll from cold to frozen when changing frozenTimePeriodinSecs

wardallen
Path Finder
‎10-12-2014 04:56 PM

I'm running out of space in my cold bucket volume, and want to reduce the default frozenTimePeriodInSecs to force a bunch of older cold data to roll to frozen. I've got plenty of space in frozen.
Is there a way I can get an idea of how much cold volume space I can reclaim if I know how much I want to reduce frozenTimePeriodInSecs?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎10-12-2014 07:02 PM

By using dir or ls or the dbinspect command, you can find out the bucket time ranges. By seeing how many's "latest" edge, which is typically the edge closest to now, you can see how many would fall outside your retention window if you adjusted frozenTimePeriodInSecs.

As far as i know, dbinspect is not properly distributed so you might have to log into indexers, or if you're using a cluster you could hit the cluster bukets endpoint to get xml or json to walk.

ASIDE:
This is all terribly manual of course. We need to build a tool that can address this type of usecase. Specifically "If i changed my configuration like so.... what would happen?" I hope to work on something like this within the next year or so. As for a GUI with nice visualization I have no idea but please file ERs if the lack is a serious issue for you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎10-12-2014 07:02 PM

By using dir or ls or the dbinspect command, you can find out the bucket time ranges. By seeing how many's "latest" edge, which is typically the edge closest to now, you can see how many would fall outside your retention window if you adjusted frozenTimePeriodInSecs.

As far as i know, dbinspect is not properly distributed so you might have to log into indexers, or if you're using a cluster you could hit the cluster bukets endpoint to get xml or json to walk.

ASIDE:
This is all terribly manual of course. We need to build a tool that can address this type of usecase. Specifically "If i changed my configuration like so.... what would happen?" I hope to work on something like this within the next year or so. As for a GUI with nice visualization I have no idea but please file ERs if the lack is a serious issue for you.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-12-2014 06:16 PM

Take a look at this page.

http://wiki.splunk.com/Deploy:BucketRotationAndRetention

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...