hot/warm buckets

pbrinkman · ‎06-12-2019

hi all,

I have seperate drive for my hot/warm and cold data.
The hot/warm drive is near capacity.

Looking to find an easy way to calculate how much data each index will hold.
One example index config set is as below

10955Mb ingest per day (10.9Gb)
MazDataSize = 750mb (max size in MB for a hot bucket to reach before it rolls to warm)
maxWarmDBCount = 436 (max number of warm buckets)
maxtotalDataSize = 4328249mb (4328Gb) (maximum size of the index (in Mb)
frozenTimePeriodinSecs = 34128000 (395days in seconds)(number of seconds after which indexed data rolls to frozen)
overall retention = 395 (13months)
overall warm in days = 30

I would like to know how i can work out what size this indexed data should take up on my hot/warm and cold drives.
The split of the 4328Gb between the hot/warm & cold drives over 13months.
Does anyone know how best to calculate this ?

Cheers
Paul

harsmarvania57 · ‎06-12-2019

Hi,

Have you looked at https://splunk-sizing.appspot.com/, it will be a good starting point.

kmorris_splunk · ‎06-12-2019

I was just about to share the same thing. This is a great tool for this task. You can play around with different retention times for hot/warm, cold, and archived (frozen).

hot/warm buckets

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)