In case anyone else finds this, I've done a pretty big write-up on two answers. Start here: https://answers.splunk.com/answers/725555/what-does-this-message-mean-regarding-the-health-s.html?childToView=766381#answer-766381
... View more
We have this issue again when we are upgrading to 7.3.3 to fix timestamp issue:
The percentage of small of buckets created xx over the last hour is very high and exceeded the red thresholds (xx) for index=xxxxx, and possibly more indexes, on this indexer
I wonder if we can search for the source/host the time is not correct, so we can fix it. We have about 1200 forwarders.
TKs
Louis.
... View more