Getting Data In

After updating my indexer to 2TB, which index volume should I increase?

Venkat_16
Contributor

i have upgraded my indexer to 2TB from 450GB to increase my data retention.

Below is my current indexer volume configuration:
hot volume : 70GB
cold volume: 35GB

Should i increase my hot volume or cold volume.

Please suggest.

0 Karma

acharlieh
Influencer

Typically, you should have super fast (usually expensive, tier 1 performance) disk for your hot/warm volume, and moderately fast (usually cheaper, tier 2 performance) disk for your cold volume. What kind of disk you buy (and subsequently which volume you extend) is a function of your ingestion rates and your business needs in terms of what data your users need to search most often.

In the most simplistic scenario (not clustering, and not talking about data growth projections) If you gain 2 GB of newly ingested disk usage an hour, and your users business case has them searching back a day typically then you want 48 GB (2*24) of hot and the rest of your retention period filled out by cold.

If your hot volume and your cold volumes are composed of disk with the same performance attributes, then the choice of which volume to extend is rather moot and more of a function of other retention settings (I'd likely throw it on cold but that's arbitrary, as I wouldn't be managing hot and cold separately if I had undifferentiated disk). Additionally you wouldn't want to mix your fast and slow disk in the same volume otherwise you potentially slow down your fast disk to the speed of your slow disk, negating the investment in the fast disk.

0 Karma
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...