Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Creating large, multi-terabyte indexes

williamsweat
Path Finder
‎02-28-2012 10:38 AM

Hi,

I have a few indexes that I want to expand to be multiple terabytes. Are there general guidelines about this? Should I increase the number of buckets, and if so what's considered 'just right' for a 2TB (or more) index?

What can I expect if I need to run an fsck? Will large indexes make running this out of the question?

Thanks,
Will

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎03-08-2012 06:20 PM

Splunk automatically creates buckets as needed. You don't need to do anything about buckets for a 2TB index; this is not considered a particularly large index in Splunk. (There are customers who add much more than 2TB every day.)

However, you do need to change the maximum size of your index, as the default maximum size is 500,000MB (or .5TB) You can change this setting in the configuation file indexes.conf (maxTotalDataSizeMB) or you can do it via the user interface in the Splunk Manager.

Contrary to wdhathaway's post - a Splunk index is not implemented as a monolithic file; it is in fact a number of files. But I don't think that you will have a significant fsck problem anyway.

FInally, for more about indexes and sizing take a look at

Managing Indexes

Create and edit indexes

Reply

wdhathaway
Explorer
‎02-28-2012 11:23 AM

I'm not sure on the bucket size part of your question, but as far as your fsck question goes,
In general, fsck times are linear with number of inodes, so for a file system filled with a smaller number of large files (like Splunk indexes), it should be much faster to fsck than a file system filled with with a huge amount of small files.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...