Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compression rate for indexes / hot / warm / cold / frozen ?

clyde772
Communicator
‎07-03-2012 10:28 AM

I have a few easy question about splunk data compression rate.

  1. What is the typical compression rate for english ASCII based data?

  2. Is the compression rate different from hot / warn / cold / frozen?

  3. Does hot buckets also get compressed?

Easy, huh? Thanks for your answer!

Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎07-03-2012 10:54 AM

easy :

1 - roughly between 1 and infinite minus one.
Seriously, it depends of your data, here is a method is to calculate it.
I usually see about 40%~50% compression.

in this example we look at index=_internal, please replace by your index.



| dbinspect index=_internal

| fields state,id,rawSize,sizeOnDiskMB 

| stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB

| eval rawTotalinMB=(rawTotal / 1024 / 1024) | fields - rawTotal

| eval compression=tostring(round(diskTotalinMB / rawTotalinMB * 100, 2)) + "%"

| table rawTotalinMB, diskTotalinMB, compression

2 - the compression rate is identical for hot / warm / cold / frozen
However when a bucket is frozen, some metadata files are removed or compressed (it saves some MB), they can be recreated when thawed.

3 - the hot buckets are been written already compressed.

View solution in original post

Reply
Solved! Jump to solution

edoardo_vicendo
Builder
‎01-08-2025 07:14 AM

See my reply here if it can help

https://community.splunk.com/t5/Deployment-Architecture/Splunk-Storage-Sizing-Guidelines-and-calcula...

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎07-03-2012 10:54 AM

easy :

1 - roughly between 1 and infinite minus one.
Seriously, it depends of your data, here is a method is to calculate it.
I usually see about 40%~50% compression.

in this example we look at index=_internal, please replace by your index.



| dbinspect index=_internal

| fields state,id,rawSize,sizeOnDiskMB 

| stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB

| eval rawTotalinMB=(rawTotal / 1024 / 1024) | fields - rawTotal

| eval compression=tostring(round(diskTotalinMB / rawTotalinMB * 100, 2)) + "%"

| table rawTotalinMB, diskTotalinMB, compression

2 - the compression rate is identical for hot / warm / cold / frozen
However when a bucket is frozen, some metadata files are removed or compressed (it saves some MB), they can be recreated when thawed.

3 - the hot buckets are been written already compressed.

Reply
Solved! Jump to solution

splunkreal
Motivator
‎12-10-2019 08:28 AM

Hello guys,
it looks like frozen data is around -50% compared to hot/cold, is this correct?
Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

sakthiganesht
New Member
‎09-06-2019 05:12 AM

With the above logic for most of the indexers I see 200+% compression an eg rawTotal=42726 and diskTotalinMB = 102921.

As per documentation compression should be around 50% meaning diskTotalinMB should be halfth the rawTotal. But in my case it is more than 2.5 times. Any pointers why it consumes more disk space?

0 Karma
Reply
Solved! Jump to solution

hunderliggur
Path Finder
‎09-06-2019 12:28 PM

It all depends on your data. If you are using indexed extractions on json data you will get virtually no reduction is total disk size since the tsidx files will be huge compared to typical syslog data (on which the documentation is built).

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎08-27-2013 10:53 AM

Always a good idea to add new data to a test index and check for

compression
line-breaking
time-stamping

before creating the input in a production environment.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎08-27-2013 10:43 AM

No.
But you can run a test by segregating each source/sourcetype to a different index, index a significant sample, then compare with the previous search.

0 Karma
Reply
Solved! Jump to solution

cphair
Builder
‎08-27-2013 10:36 AM

@yannk, is there a straightforward way to calculate compression ratios for different sources or sourcetypes within an index?

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎01-22-2013 12:28 PM

extra question :

  • is the license volume counted on the stored compressed data or on the uncompressed data ?
  • Answer -> on the uncompressed data.
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎07-03-2012 11:03 AM

Featuring "Sanford" for the search.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering. Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...