Knowledge Management

Splunk Smartstore - Can we implement this solution for a framework that consists of multiple unclustered Indexers and if yes, how do we do that?

New Member

Hello Everyone,

Wanted to see if you guys have any inputs or suggestions on this. Recently I and my team attended the Splunk confernce (.conf19) and we went through some sessions of Splunk SmartStore. We wanted to implement this solution in our environment. We created the necessary Epics and starting building some related stories.

SmartStore is an indexer feature that provides a way to use remote object stores, such as Amazon S3, to store indexed data. By reducing reliance on local storage, SmartStore allows us to scale compute and storage resources separately, thus improving the efficiency of resource usage.

We have one of the brands/customers that are using a Splunk instance which consists of multiple Unclustered Indexers.

Wanted to see how would be our best approach to implement SmartStore with this framework i.e Unclustered Indexers, and if its possible to implement this solution and what options do we have on our plate here.

Appreciate any feedback on this.

thank you


Labels (1)
0 Karma

New Member

This is the feedback I have receieved so far.

  • S2 is meant to be used with clustered indexers; it should reduce the number of cold buckets you need from {replication & search factor} number of buckets to 1.
    While it might work on standalone indexers, you’re not reducing the amount of storage you need. Also, smart store needs an amount of cache per indexer too; there are formulas for that for clusters, but not for standalone.
    I’d be suggesting to your client that they move to clustering first. You don’t have to make the legacy buckets clustered, you can let them age out; PS has ways of making the legacy buckets part of the cluster, though.

  • Also, keep in mind that bandwidth is very important for this to work well and that once buckets are up there(S3), you can not revert. So be sure to only push small amounts to S3 as you begin

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...