Splunk places indexed data in directories, called as “buckets”. It is physically a directory containing events of a certain period.
A bucket MOVES through several stages as it ages:

• Hot: Contains newly indexed data. Open for writing. One or more hot buckets for each index.
• WARM: Data rolled from hot. There are MANY warm buckets.
• Colld: Data rolled from warm. There are many cold buckets.
• Frozen: Data rolled from cold. The indexer deletes frozen data by default, but you can also archive it. Archived data can later be thawed (Data in frozenbuckets is not searchable)

By default, your buckets are located in $SPLUNK_HOME/var/lib/splunk/defaultdb/db. You should see the hot-db there, and any warm buckets you have.By default, Splunk sets the bucket SIZE to 10GB for 64bit systems and 750MB on 32bit systems.

Splunk places indexed data in directories, called as “buckets”. It is physically a directory containing events of a certain period.
A bucket moves through several stages as it ages:

By default, your buckets are located in $SPLUNK_HOME/var/lib/splunk/defaultdb/db. You should see the hot-db there, and any warm buckets you have.By default, Splunk sets the bucket size to 10GB for 64bit systems and 750MB on 32bit systems.