Splunk Enterprise Security

SmartStore Cache Policy to Preserve Recent Buckets while searching from S3 Object Store

stewdapew
Loves-to-Learn

I want to balance the use of cache capacity with SmartStore. I want to keep recent buckets in cache while allowing older buckets to be expired so I can search with the S3 object store.

Based on what I read in...

https://docs.splunk.com/Documentation/Splunk/8.0.2/Indexer/ConfigureSmartStorecachemanager

I believe setting "hotlist_recency_secs" and "hotlist_bloom_filter_recency_hours" would allow me to accomplish what I seek. i.e. protect buckets processed within the last 7 days and use remaining cache capacity for buckets retrieved from S3.

Can someone confirm my logic or point me in the right direction?

thx
-v

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!