All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Palo Alto Networks App for Splunk data model frequently consumes too much space on disk.

the_wolverine
Champion
‎11-13-2015 08:53 AM

Even for small time ranges like -1d, the PAN data model consumes too much space on disk amounting to hundreds of GBs and into the TBs when the acceleration was configured to -30d.

0 Karma
Reply

btorresgil
Builder
‎11-13-2015 10:25 AM

Hi Wolverine,

The acceleration for the datamodel will take up different amounts of space for different environments, depending on the log ingestion rate, type of logs and traffic, number of firewalls and their configurations, etc.

The latest version of the Splunk App (v5.0.0) is more efficient in datamodel acceleration performance and space usage on disk. Try upgrading to version 5.0.0 or higher and re-build the acceleration to get the benefits.

Use the upgrade guide to upgrade to App version 5.0.0:
http://pansplunk.readthedocs.org/en/latest/upgrade.html

If you need the acceleration to take even less space on disk after the upgrade, you can remove fields from the datamodel that you don't need or care about. Note that if you remove a field that is used by a dashboard, that panel in the dashboard might not work. But the dashboards are there to be modified to suit your needs also.

Best regards,
-Brian

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...