Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What disk space is actually needed for indexes on a search head?

mfrost8
Builder
‎08-19-2015 08:29 AM

I'm trying to build some new search heads and I'm looking at how much disk space I should really need for indexes ($SPLUNK_DB) on a search head, particularly if I'm configuring that search head to forward any events its told to index to the indexers as is the recommended best practice.

I see that there is some space used on my current indexers and that a certain minimum amount is probably necessary. Could I potentially scale back indexes that exist on the search heads for one reason or another (sos, os) so that they're very small since any events that are supposed to go there will be forwarded to indexers anyway where they'll be more space allocated?

I was thinking about 10GB of local space for indexes on the search heads, but if I don't even have to use that much, I'd rather not, especially when I can use it for dispatch.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jensonthottian
Contributor
‎08-19-2015 10:24 AM

The defauk indexes in your indexer are summary, main, history, _thefishbucket, _introspection, _internal, _blocksignature, _audit.

Generally _audit is the one which will consume the most diskspace which too will be way less. I think 10 GB should be good enough for diskspace for all indexes in search head. Default max is set for each of these indexes as 500 GB.

View solution in original post

Reply
Solved! Jump to solution
Solution

jensonthottian
Contributor
‎08-19-2015 10:24 AM

The defauk indexes in your indexer are summary, main, history, _thefishbucket, _introspection, _internal, _blocksignature, _audit.

Generally _audit is the one which will consume the most diskspace which too will be way less. I think 10 GB should be good enough for diskspace for all indexes in search head. Default max is set for each of these indexes as 500 GB.

Reply
Solved! Jump to solution

mfrost8
Builder
‎08-19-2015 10:33 AM

Hmm. I was hoping it could be way less. OK, 10 GB it is. Th anks.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...