Hi @andynewsoncap,

let me understand: you have 5 Clusters of Indexers or 5 Indexers in one Cluster?

Anyway, also 70 indexes are very many in my opinion!

About Compression Factor the values are the ones I described: 0.15 for row data and 0.35 for indexes.

About Replication Factor and Search Factor, they depends on the affidability you want:

if you have 5 Indexers, how many Indexers can be down without missing data?

Replication Factor and search factor can be eual to number of indexers, in this case you have all the data in all indexers and you system have a consistent base of data also with 4 Indexers down but with a greater cost for storage, so you have to define the leverage of cost and affidability.

You can surely ask to Splunk PS on demand and I hint this or to ask to your reference Splunk Partner that should have a Splunk Architect.

Ciao.

Giuseppe

In fact we have 9 Index Clusters.

2 in US. 5 node Cluster and 3 node cluster

2 in APAC. 4 node Cluster and 3 node cluster

2 in LATAM. 4 node Cluster and 3 node cluster

2 in EMEA. 5 node Cluster and 3 node cluster

All reporting to one 9 node Search head cluster.  Which has its own 4 node ITSI Indexing Cluster.

2+ 2 + 2 + 2 + 1 

There are about 40,000 devices feeding it Data. lets say 10k / 10k / 10k / 10k 

All are set to 2 / 2. SF / RF.

Each Index Cluster has its own set of Indexes / Index names based on the Data it is collecting for that region.  So I can tell if this is EMEA data or USA Data. etc.etc.  Based of the source of the Indexer.  The customer has a habit of spinning up server in one region but colleting data for another region.  Yer dont ask.  Customer is always right. Right 🙂  For complex reason i will not go into here.  But this is how myself and Splunk PS designed it 3 years ago.  And its been running for 3 years now.

Now we need to ensure we are keeping the data for an appropriator amount of time.  Which we are not.

Hi @andynewsoncap,

for the complexity of your architecture, this isn't a question for the Community, but it requires a deep analysis from a Splunk PS or a Certified Splunk Architect.

Ciao.

Giuseppe

Yes complexity of your architecture.  But not if you break it down.  

Forget about all my Cluster.

Simple question.

How can I find out the Daily Size and Compression Ratio for an Index.  I know you said its  (0.15 x RF + 0.35 x SF) but i not sure that's is right.  But it may well work given I need to allow fudge factor.

Then expand the question.  To all the Indexers on a given set of Indexers.  

Something like.

What is the size of each index on a given set of Indexer for the last 30 days.  Them Simply take that answer / 30 to give an approximate daily ingestion size in MB.  Then take the  (0.15 x RF + 0.35 x SF) to work up a number.  And times that but a number of days for Hot/Warm and a number of Days for Cold. i.e. 

homePath.maxDataSizeMB =

And

coldPath.maxDataSizeMB =

And

maxTotalDataSizeMB =

Hi @andynewsoncap,

you can find the daily size of an index using the License Consuption Report .

the compression factor is usually around 50%, but a more detailed calculation is the one I shared, from the Splunk Architect Course.

total_disk_space = daily_indexing * (0.15 * RF + 0.35 * SF) * retention

obviously, this is the total required storage for a cluster, to have the storage required for each Indexer of a cluster you have to divide by the number of Indexers of the Cluster.

Ciao.

Giuseppe