0 votes
in Technology by (321k points)
What are Buckets? Explain Splunk Bucket Lifecycle.

1 Answer

0 votes
by (321k points)

Splunk places indexed data in directories, called ‘buckets.’ It is physically a directory containing events of a certain period.

A bucket moves through several stages as it ages. Below are the various stages it goes through:

  • Hot: A hot bucket contains newly indexed data. It is open for writing. There can be one or more hot buckets for each index.
  • Warm: A warm bucket consists of data rolled out from a hot bucket. There are many warm buckets.
  • Cold: A cold bucket has data that is rolled out from a warm bucket. There are many cold buckets.
  • Frozen: A frozen bucket is comprised of data rolled out from a cold bucket. The indexer deletes frozen data by default, but we can archive it. Archived data can later be thawed (data in a frozen bucket is not searchable).

By default, the buckets are located in:

$SPLUNK_HOME/var/lib/splunk/defaultdb/db

We should see the hot-db there, and any warm buckets we have. By default, Splunk sets the bucket size to 10 GB for 64-bit systems and 750 MB on 32-bit systems.

...