Indexing: Bucket Controls

Question 1

How do you configure the Maximum Size for a hot bucket?

Answer 1

maxDataSize

Question 2

What is the maxDataSize rolling behavior?

Answer 2

hot to warm

Question 3

How do you configure the maximum number of warm buckets?

Answer 3

maxWarmDBCount

Question 4

What is the rolling behavior of maxWarmDBCount?

Answer 4

warm to cold

Question 5

What is the default setting for maxWarmDBCount?

Answer 5

300

Question 6

How do you configure maximum size of an index?

Answer 6

maxTotalDataSizeMB

Question 7

What is the rolling behavior maxTotalDataSizeMB?

Answer 7

cold to frozen

Question 8

What is the default setting for maxTotalDataSizeMB?

Answer 8

500000 MB

Question 9

How do you configure maximum age for a bucket?

Answer 9

frozenTimePeriodInSeconds

Question 10

What is the rolling behavior for frozenTimePeriodInSeconds?

Answer 10

cold to frozen

Question 11

What is the default setting for frozenTimePeriodInSeconds?

Answer 11

~6 Years

Question 12

How do you configure maximum size for hot/warm storage?

Answer 12

homePath.maxDataSizeMB

Question 13

How do you configure maximum size for cold storage?

Answer 13

coldPath.maxDataSizeMB

Question 14

How do you configure maximum size for a volume?

Answer 14

maxVolumeDataSizeMB

Question 15

How do you configure maximum number of hot buckets?

Answer 15

maxHotBuckets

Question 16

What is the default setting for maxHotBuckets?

Answer 16

3

Question 17

How do you configure how long indexes retain tsidx files?

Answer 17

timePeriodInSecsBeforeTsidxReduction

Question 18

What 3 Bucket Controls are settable in the GUI?

Answer 18

timePeriodInSecsBeforeTsidxReduction, maxDataSize, maxTotalDataSizeMB

Question 19

What is maxTotalDataSizeMB applied to?

Answer 19

to both homepath and coldpath

Question 20

When should homePath.maxDataSizeMB and coldPath.maxDataSizeMB be used?

Answer 20

Should only be used when there are separate partitions being used

Question 21

What is the significance of timePeriodInSecsBeforeTsidxReduction?

Answer 21

1. Introduced in 6.4, it transforms the usual index files (.tsidx files) to a “minified” version.
2. This reduces the footprint of the “35% of the raw data size for the searchable artifacts” to a much smaller size.
3. This can extend the lifespan of data by permitting data to be kept longer (and searchable) in Splunk.
4. This feature can be used to achieve longer term storage without the need for extra architectural steps like adding S3 archival or rolling to hadoop

Question 22

Describe bucket control volumes?

Answer 22

Allow you to manage disk usage across multiple indexes.

Create volumes and specify maximum data sizes for them.

Typically separate volumes by hot/warm and cold buckets

Takes precedence over other bucket controls

Question 23

Can you use Volumes to define homePath?

Answer 23

Yes

Question 24

Can you use Volumes to define coldPath?

Answer 24

Yes

Question 25

Can you use Volumes to define thawedPath?

Answer 25

No

Question 26

What situation REQUIRES you to us volumes?

Answer 26

When you explicitly define bloomHomePath

Question 27

What is the overall guideline for Control Precedence?

Answer 27

Most Restrictive Rule Wins

Question 28

What are the bucket specific control precedence?

Answer 28

• The oldest bucket will be frozen first
• Age is determined by the age of the most recent event
• • May not correspond to the time when the data was ingested.
• Hot buckets are measured by size but are exempt from age controls