How to plan/Predict DDAS size?

skseifert · ‎08-03-2023

I know the data is there, and that this question is possible through the Chargeback app - but has anyone performed SPL query of their environment to be able to predict, based on current ingest rates, and retention policies, what my index sizes will be in my DDAS storage? I am trying to develop a good understand of where I should be topping out, after events age out and move to DDAA storage.

livehybrid · ‎08-04-2023

I've spent a fair bit of time looking into a similar issue in the past, whilst I dont have the SPL to hand to share, one of the things that made a significant difference was looking at the historic daily ingest versus the current daily ingest. If (or when) the index reaches the retention time (assuming its not limited on storage) then you should take off 1 day of the original ingestion rate and add on 1 day of the current ingestion rate - its not safe to assume if the retention is 90 days and you've got 90 days of data that it will not grow!

To know this data you might find it best to summarise the license/ingest metrics along with some info from dbinspect to help work out the growth. My specific use-case was on-premise which has to consider compression/tsidxreduction etc which you do not need to consider in Cloud so hopefully this might be simpler(!).

Hopefully this helps a little.

How to plan/Predict DDAS size?

administration

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

How to plan/Predict DDAS size?

administration

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)