Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Index holding data

bharathkumarnec
Contributor
‎05-24-2017 12:15 AM

Hi Team,

We wanted to keep one year data in splunk for few of the indexes in our environment, we understand that we can make it in splunk but we need to have additional storage capacity available to achieve this requirement.

What is the best approach to store the data as per our requirement & the data that we store for one year should be fetched at any point in time.

Kindly help me out with best possible option.

TIA

Regards,
BK

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-24-2017 08:17 AM

Keep it in warm and make sure that you have enough disk space allotted to contain it (with fudge factor). There is a tool referenced here than can help:

https://www.splunk.com/blog/2015/02/18/splunk-sizing-made-easy.html

The best option, though, is roll up aggregate summary details regarding your raw events (perhaps daily totals/averages) and save this to a Summary Index which will vastly reduce the amount of storage required:

https://docs.splunk.com/Documentation/Splunk/6.6.0/Knowledge/Usesummaryindexing

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-24-2017 08:17 AM

Keep it in warm and make sure that you have enough disk space allotted to contain it (with fudge factor). There is a tool referenced here than can help:

https://www.splunk.com/blog/2015/02/18/splunk-sizing-made-easy.html

The best option, though, is roll up aggregate summary details regarding your raw events (perhaps daily totals/averages) and save this to a Summary Index which will vastly reduce the amount of storage required:

https://docs.splunk.com/Documentation/Splunk/6.6.0/Knowledge/Usesummaryindexing

Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...