Splunk places indexed data in directories, called ‘buckets.’ It is physically a directory containing events of a certain period.
A bucket moves through several stages as it ages. Below are the various stages it goes through:
Hot: A hot bucket contains newly indexed data. It is open for writing. There can be one or more hot buckets for each index.
Warm: A warm bucket consists of data rolled out from a hot bucket. There are many warm buckets.
Cold: A cold bucket has data that is rolled out from a warm bucket. There are many cold buckets.
Frozen: A frozen bucket is comprised of data rolled out from a cold bucket. The indexer deletes frozen data by default, but we can archive it. Archived data can later be thawed (data in a frozen bucket is not searchable).
By default, the buckets are located in:
$SPLUNK_HOME/var/lib/splunk/defaultdb/db
We should see the hot-db there, and any warm buckets we have. By default, Splunk sets the bucket size to 10 GB for 64-bit systems and 750 MB for 32-bit systems.
