Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SmartStore Sizing

mwdbhyat
Builder
‎08-19-2019 06:18 AM

Hi there,

Im looking at sizing an environment for SmartStore - does anyone have a formula or speadsheet that will factor in my storage needs for the entire clusters local storage, including smartstore cache?

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎11-03-2019 05:55 PM

Remote Object Store sizing = Daily Ingest Rate x Compression Ratio x Retention period

Compression ratio is generally 50% (15% from the compression of rawdata and 35% from the tsidx metadata files) but this is entirely dependent on the type of data. For higher cardinality data, this percentage can go down resulting in lower compressed data or increase in the storage sizing requirement.

Global Cache sizing = Daily Ingest Rate x Compression Ratio x (RF x Hot Days + (Cached Days - Hot Days))
Cache sizing per indexer = Global Cache sizing / No.of indexers

Cached Days = Splunk recommends 30 days for Splunk Enterprise and 90 days for Enterprise Security
Hot days = Number of days before hot buckets roll over to warm buckets. Ideally this will be between 1 and 7 but configure this based on how hot buckets rolls in your environment.

read here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/SmartStoresystemrequirements
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/SmartStorearchitecture

answer is from here:
https://answers.splunk.com/answers/764258/smartstore-how-to-calculate-storage-requirements-f-1.html

View solution in original post

Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎11-03-2019 05:55 PM

Remote Object Store sizing = Daily Ingest Rate x Compression Ratio x Retention period

Compression ratio is generally 50% (15% from the compression of rawdata and 35% from the tsidx metadata files) but this is entirely dependent on the type of data. For higher cardinality data, this percentage can go down resulting in lower compressed data or increase in the storage sizing requirement.

Global Cache sizing = Daily Ingest Rate x Compression Ratio x (RF x Hot Days + (Cached Days - Hot Days))
Cache sizing per indexer = Global Cache sizing / No.of indexers

Cached Days = Splunk recommends 30 days for Splunk Enterprise and 90 days for Enterprise Security
Hot days = Number of days before hot buckets roll over to warm buckets. Ideally this will be between 1 and 7 but configure this based on how hot buckets rolls in your environment.

read here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/SmartStoresystemrequirements
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/SmartStorearchitecture

answer is from here:
https://answers.splunk.com/answers/764258/smartstore-how-to-calculate-storage-requirements-f-1.html

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...