The Index Mines • Room 2

The Bucket Lifecycle

Data in Splunk indexes is stored in directories called buckets. Each bucket moves through a lifecycle of stages as it ages.

Hot buckets are actively being written to. Warm buckets are closed for writing but still searchable on fast storage. Cold buckets are archived to slower storage but remain searchable.

Frozen buckets are removed from the index (deleted by default or archived). Thawed buckets are previously frozen data that has been restored for searching.

Set a frozenTimePeriodInSecs or maxTotalDataSizeMB in indexes.conf to control when data rolls to frozen.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Drag items to their correct zone (or tap item then tap zone on mobile)

Actively written to by indexer

Closed for writing, searchable, fast storage

Moved to slower storage, still searchable

Removed from index, deleted or archived

Hot

Warm

Cold

Frozen