Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Smartstore - Can we implement this solution for a framework that consists of multiple unclustered Indexers and if yes, how do we do that?

bvivek18
New Member
‎11-12-2019 09:01 PM

Hello Everyone,

Wanted to see if you guys have any inputs or suggestions on this. Recently I and my team attended the Splunk confernce (.conf19) and we went through some sessions of Splunk SmartStore. We wanted to implement this solution in our environment. We created the necessary Epics and starting building some related stories.

SmartStore is an indexer feature that provides a way to use remote object stores, such as Amazon S3, to store indexed data. By reducing reliance on local storage, SmartStore allows us to scale compute and storage resources separately, thus improving the efficiency of resource usage.

We have one of the brands/customers that are using a Splunk instance which consists of multiple Unclustered Indexers.

Wanted to see how would be our best approach to implement SmartStore with this framework i.e Unclustered Indexers, and if its possible to implement this solution and what options do we have on our plate here.

Appreciate any feedback on this.

thank you

vivek

Labels (1)
Labels
0 Karma
Reply

bvivek18
New Member
‎11-13-2019 05:23 PM

This is the feedback I have receieved so far.

  • S2 is meant to be used with clustered indexers; it should reduce the number of cold buckets you need from {replication & search factor} number of buckets to 1.
    While it might work on standalone indexers, you’re not reducing the amount of storage you need. Also, smart store needs an amount of cache per indexer too; there are formulas for that for clusters, but not for standalone.
    I’d be suggesting to your client that they move to clustering first. You don’t have to make the legacy buckets clustered, you can let them age out; PS has ways of making the legacy buckets part of the cluster, though.

  • Also, keep in mind that bandwidth is very important for this to work well and that once buckets are up there(S3), you can not revert. So be sure to only push small amounts to S3 as you begin

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...