Solved: Can we enable WORM on SmartStore S3 buckets ?

dm1 · ‎09-27-2021

Does Splunk support enabling WORM on SmartStore S3 buckets ?

richgalloway · ‎09-28-2021

The docs don't mention it, but I'd say no.

Splunk buckets (other than hot buckets) are, by nature, WORM. They are never changed once written. However, the metadata associated with a bucket can change if, for example, a datamodel changes then the associated tsidx file in the bucket will have to change. That would not work if the S3 bucket was write-protected.

In short, don't mess with SmartStore buckets.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-28-2021

The docs don't mention it, but I'd say no.

Splunk buckets (other than hot buckets) are, by nature, WORM. They are never changed once written. However, the metadata associated with a bucket can change if, for example, a datamodel changes then the associated tsidx file in the bucket will have to change. That would not work if the S3 bucket was write-protected.

In short, don't mess with SmartStore buckets.

---
If this reply helps you, Karma would be appreciated.

dm1 · ‎09-28-2021

That makes sense. Thanks for your helpful answer @richgalloway

Can we enable WORM on SmartStore S3 buckets ?

index

other

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)