Palo Alto Networks App for Splunk data model frequ...

the_wolverine · ‎11-13-2015

Even for small time ranges like -1d, the PAN data model consumes too much space on disk amounting to hundreds of GBs and into the TBs when the acceleration was configured to -30d.

btorresgil · ‎11-13-2015

Hi Wolverine,

The acceleration for the datamodel will take up different amounts of space for different environments, depending on the log ingestion rate, type of logs and traffic, number of firewalls and their configurations, etc.

The latest version of the Splunk App (v5.0.0) is more efficient in datamodel acceleration performance and space usage on disk. Try upgrading to version 5.0.0 or higher and re-build the acceleration to get the benefits.

Use the upgrade guide to upgrade to App version 5.0.0:
http://pansplunk.readthedocs.org/en/latest/upgrade.html

If you need the acceleration to take even less space on disk after the upgrade, you can remove fields from the datamodel that you don't need or care about. Note that if you remove a field that is used by a dashboard, that panel in the dashboard might not work. But the dashboards are there to be modified to suit your needs also.

Best regards,
-Brian

Palo Alto Networks App for Splunk data model frequently consumes too much space on disk.

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest