Solved: Estimating volume requirements for internal indexe...

rturk · ‎09-02-2012

Hi Splunkers!

So as part two of my storage estimation (part one HERE), I have to allow for the growth & storage of the internal indexes in the following environment:
- 100GB/day
- 90 days data retention

Using the rough estimation of daily volume x retention x 1/2 I get 4.5TB of storage required for the above specs.

What kind of percentage buffer should I be applying for my Splunk Internal indexes (i.e. _internal, _audit, _fishbucket, etc..). I vaguely recall seeing a value of 15% being mentioned somewhere but that may have applied to something else.

Thanks in advance 🙂

yannK · ‎09-02-2012

They are limited by default to 500GB each, and have a short retention of 30 days.
You can size them as needed.
However the fishbucket is not a classic index, it contains the trace of the files locally monitored and can grow (usually on forwarders)

[EDIT}

the actual defaults are in $SPLUNK_HOME/etc/system/default/indexes.conf
maxTotalDataSizeMB = 500000

View solution in original post

yannK · ‎09-02-2012

They are limited by default to 500GB each, and have a short retention of 30 days.
You can size them as needed.
However the fishbucket is not a classic index, it contains the trace of the files locally monitored and can grow (usually on forwarders)

[EDIT}

the actual defaults are in $SPLUNK_HOME/etc/system/default/indexes.conf
maxTotalDataSizeMB = 500000

rturk · ‎08-26-2013

Thanks yannK (and sorry for the delay!)

Estimating volume requirements for internal indexes?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation