Splunk Enterprise Security

SmartStore Cache Policy to Preserve Recent Buckets while searching from S3 Object Store

stewdapew
Loves-to-Learn

I want to balance the use of cache capacity with SmartStore. I want to keep recent buckets in cache while allowing older buckets to be expired so I can search with the S3 object store.

Based on what I read in...

https://docs.splunk.com/Documentation/Splunk/8.0.2/Indexer/ConfigureSmartStorecachemanager

I believe setting "hotlist_recency_secs" and "hotlist_bloom_filter_recency_hours" would allow me to accomplish what I seek. i.e. protect buckets processed within the last 7 days and use remaining cache capacity for buckets retrieved from S3.

Can someone confirm my logic or point me in the right direction?

thx
-v

0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...