Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What disk space is actually needed for indexes on a search head?

mfrost8
Builder
‎08-19-2015 08:29 AM

I'm trying to build some new search heads and I'm looking at how much disk space I should really need for indexes ($SPLUNK_DB) on a search head, particularly if I'm configuring that search head to forward any events its told to index to the indexers as is the recommended best practice.

I see that there is some space used on my current indexers and that a certain minimum amount is probably necessary. Could I potentially scale back indexes that exist on the search heads for one reason or another (sos, os) so that they're very small since any events that are supposed to go there will be forwarded to indexers anyway where they'll be more space allocated?

I was thinking about 10GB of local space for indexes on the search heads, but if I don't even have to use that much, I'd rather not, especially when I can use it for dispatch.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jensonthottian
Contributor
‎08-19-2015 10:24 AM

The defauk indexes in your indexer are summary, main, history, _thefishbucket, _introspection, _internal, _blocksignature, _audit.

Generally _audit is the one which will consume the most diskspace which too will be way less. I think 10 GB should be good enough for diskspace for all indexes in search head. Default max is set for each of these indexes as 500 GB.

View solution in original post

Reply
Solved! Jump to solution
Solution

jensonthottian
Contributor
‎08-19-2015 10:24 AM

The defauk indexes in your indexer are summary, main, history, _thefishbucket, _introspection, _internal, _blocksignature, _audit.

Generally _audit is the one which will consume the most diskspace which too will be way less. I think 10 GB should be good enough for diskspace for all indexes in search head. Default max is set for each of these indexes as 500 GB.

Reply
Solved! Jump to solution

mfrost8
Builder
‎08-19-2015 10:33 AM

Hmm. I was hoping it could be way less. OK, 10 GB it is. Th anks.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...