Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Size of data on 64bit systems before being rolled to cold

eqalisken
Explorer
‎11-02-2010 07:20 AM

Hi,

Quick question, with maxDataSize on a 64bit system set to auto_high_volume = 10GB and the default number of buckets being 300 then presumably data starts getting rolled to cold at around 3TB. Is maxTotalDataSizeMB still set to 0.5TB? If so data would normally never get to cold? Thanks

Tags (1)
Reply

Simeon
Splunk Employee
Splunk Employee
‎11-02-2010 03:05 PM

It is possible that data will never transition to the cold db. With the default bucket settings in the main/default index, a 3 TB system may never transition to cold. By the time you get close to the 3 TB disk limit, your minFreeSpace (set in server.conf) will dictate if Splunk will stop indexing.

If you have a system that has 500 GB available on the root partition and a large amount (maybe 3 TB) on an NFS mount, we recommend you leverage the cold db on the NFS mount and tune the warm buckets to fit the root partition. This is done because you typically have higher read/write performance on the local disk. So in this particular scenario, with one main index, you would tune at least 5-10 hot buckets, 30+ warm buckets, and the remainder to exist on the cold db.

Reply
Get Updates on the Splunk Community!

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...