Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What disk space is actually needed for indexes on a search head?

mfrost8
Builder
‎08-19-2015 08:29 AM

I'm trying to build some new search heads and I'm looking at how much disk space I should really need for indexes ($SPLUNK_DB) on a search head, particularly if I'm configuring that search head to forward any events its told to index to the indexers as is the recommended best practice.

I see that there is some space used on my current indexers and that a certain minimum amount is probably necessary. Could I potentially scale back indexes that exist on the search heads for one reason or another (sos, os) so that they're very small since any events that are supposed to go there will be forwarded to indexers anyway where they'll be more space allocated?

I was thinking about 10GB of local space for indexes on the search heads, but if I don't even have to use that much, I'd rather not, especially when I can use it for dispatch.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jensonthottian
Contributor
‎08-19-2015 10:24 AM

The defauk indexes in your indexer are summary, main, history, _thefishbucket, _introspection, _internal, _blocksignature, _audit.

Generally _audit is the one which will consume the most diskspace which too will be way less. I think 10 GB should be good enough for diskspace for all indexes in search head. Default max is set for each of these indexes as 500 GB.

View solution in original post

Reply
Solved! Jump to solution
Solution

jensonthottian
Contributor
‎08-19-2015 10:24 AM

The defauk indexes in your indexer are summary, main, history, _thefishbucket, _introspection, _internal, _blocksignature, _audit.

Generally _audit is the one which will consume the most diskspace which too will be way less. I think 10 GB should be good enough for diskspace for all indexes in search head. Default max is set for each of these indexes as 500 GB.

Reply
Solved! Jump to solution

mfrost8
Builder
‎08-19-2015 10:33 AM

Hmm. I was hoping it could be way less. OK, 10 GB it is. Th anks.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...