Getting Data In

After updating my indexer to 2TB, which index volume should I increase?

Contributor

i have upgraded my indexer to 2TB from 450GB to increase my data retention.

Below is my current indexer volume configuration:
hot volume : 70GB
cold volume: 35GB

Should i increase my hot volume or cold volume.

Please suggest.

0 Karma

Influencer

Typically, you should have super fast (usually expensive, tier 1 performance) disk for your hot/warm volume, and moderately fast (usually cheaper, tier 2 performance) disk for your cold volume. What kind of disk you buy (and subsequently which volume you extend) is a function of your ingestion rates and your business needs in terms of what data your users need to search most often.

In the most simplistic scenario (not clustering, and not talking about data growth projections) If you gain 2 GB of newly ingested disk usage an hour, and your users business case has them searching back a day typically then you want 48 GB (2*24) of hot and the rest of your retention period filled out by cold.

If your hot volume and your cold volumes are composed of disk with the same performance attributes, then the choice of which volume to extend is rather moot and more of a function of other retention settings (I'd likely throw it on cold but that's arbitrary, as I wouldn't be managing hot and cold separately if I had undifferentiated disk). Additionally you wouldn't want to mix your fast and slow disk in the same volume otherwise you potentially slow down your fast disk to the speed of your slow disk, negating the investment in the fast disk.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!