Solved: Can we enable WORM on SmartStore S3 buckets ?

dm1 · ‎09-27-2021

Does Splunk support enabling WORM on SmartStore S3 buckets ?

richgalloway · ‎09-28-2021

The docs don't mention it, but I'd say no.

Splunk buckets (other than hot buckets) are, by nature, WORM. They are never changed once written. However, the metadata associated with a bucket can change if, for example, a datamodel changes then the associated tsidx file in the bucket will have to change. That would not work if the S3 bucket was write-protected.

In short, don't mess with SmartStore buckets.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-28-2021

The docs don't mention it, but I'd say no.

Splunk buckets (other than hot buckets) are, by nature, WORM. They are never changed once written. However, the metadata associated with a bucket can change if, for example, a datamodel changes then the associated tsidx file in the bucket will have to change. That would not work if the S3 bucket was write-protected.

In short, don't mess with SmartStore buckets.

---
If this reply helps you, Karma would be appreciated.

dm1 · ‎09-28-2021

That makes sense. Thanks for your helpful answer @richgalloway

Can we enable WORM on SmartStore S3 buckets ?

index

Unleash Unified Security and Observability with Splunk Cloud Platform

Enterprise Security Content Update (ESCU) | New Releases

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!