Deployment Architecture

buckets - hot/warm and cold on 2 separate volumes

smithy001
Explorer

if we configure a fast volume for hot/warm and slower spindles for cold and set maxVolumeDataSizeMB to enforce sizes.

can you see any situation where cold would file but hot/warm would still have space?

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @smithy001 ,

sorry but I don't understand your question:

it's usual to use faster and more expensive storage for Hot/Warm buckets and slower and less expensive storage for Cold buckets.

What's your qyestion?

You should analyze your searches to understand what's the retentio to apply to warm buckets to have more than 85/90% of searches, in this way, the use of a slower storage will not affect so much your performances.

Usually it's used one month, but it depends on your use.

Ciao.

Giuseppe

0 Karma

smithy001
Explorer

Thanks for the reply...I understand the use of 2 separate volumes.

 

I was asking if anyone could see a situation where the cold [spindle] volume could become full whilst the hot/warm[ssd] still had capacity if both were sized the same...

6 months on SSD 6 months on spindle...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @smithy001,

the capacity of storages must be calculated in a Capacity Plan:

yo have to define how long data remain in Warm Buckets before passing to Cold.

If you have few data in Hot/Warm and a full storage in Col status, you have to rebuild your Capacity Planning.

Anyway, as I said, Cold data are usually in less expensive storage, so you should analyze your data to define what's the correct point of status change.

So you could have 2 months instead of one month in Warm status, in this way you'll have better performaces in searches, but anyway you have to correctly analyze and design your data flows in a Capacity Planning.

Ciao.

Giuseppe

0 Karma

smithy001
Explorer

So rather than have 2 volumes just have 1 and use tiered storage so that you only need to monitor the usage at the storage system.

Make capacity planning much easier and hardware tiering is far more efficient/performant as accessed data will be elevated to  a higher performance tier. 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @smithy001,

the number of volumes isn't so relevant: make a complete Capacity Plan.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...