Solved: SmartStore, why ES requires 90days local

damindragunatil · ‎03-13-2021

Hi, can someone answer the reason for Splunk SmartStore requiring 90days of local storage when using Enterprise Security rather than 30days?

Many thanks in advance

scelikok · ‎03-13-2021

Hi @damindragunatil,

ES needs to span 90 days historical data for baselining. This is mostly used for detecting historical anomalies.

Another reason is datamodel accelerations/backfills. These process scans old data to check if there is any data that has not accelerated yet.

Periodically accessing old events may result huge eviction and download processes which will affect your overall performance. That is why 90 days cache is recommended.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

damindragunatil · ‎03-14-2021

Thank you for the explanation, very much appreciated.

Regards

Damindra

scelikok · ‎03-13-2021

Hi @damindragunatil,

ES needs to span 90 days historical data for baselining. This is mostly used for detecting historical anomalies.

Another reason is datamodel accelerations/backfills. These process scans old data to check if there is any data that has not accelerated yet.

Periodically accessing old events may result huge eviction and download processes which will affect your overall performance. That is why 90 days cache is recommended.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

SmartStore, why ES requires 90days local

smartstore

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases