Solved: Can we enable WORM on SmartStore S3 buckets ?

dm1 · ‎09-27-2021

Does Splunk support enabling WORM on SmartStore S3 buckets ?

richgalloway · ‎09-28-2021

The docs don't mention it, but I'd say no.

Splunk buckets (other than hot buckets) are, by nature, WORM. They are never changed once written. However, the metadata associated with a bucket can change if, for example, a datamodel changes then the associated tsidx file in the bucket will have to change. That would not work if the S3 bucket was write-protected.

In short, don't mess with SmartStore buckets.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-28-2021

The docs don't mention it, but I'd say no.

Splunk buckets (other than hot buckets) are, by nature, WORM. They are never changed once written. However, the metadata associated with a bucket can change if, for example, a datamodel changes then the associated tsidx file in the bucket will have to change. That would not work if the S3 bucket was write-protected.

In short, don't mess with SmartStore buckets.

---
If this reply helps you, Karma would be appreciated.

dm1 · ‎09-28-2021

That makes sense. Thanks for your helpful answer @richgalloway

Can we enable WORM on SmartStore S3 buckets ?

index

other

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?