I am using the Splunk archiving feature where events are archived to HDFS after a certain amount of time (23 days in my case) and then removed from the indexer after 26 days.
This is all working but I recently started archiving a new index which seems to have many more buckets and thus we need many more inodes in HDFS (Splunk uses up to 7 inodes per bucket.)
I hesitate to adjust the bucketing that I have for normal Splunk indexing as all is working well there, but wondered if there were any settings I should look at to reduce the number of buckets that this index has.
↧