I have 2 sites with Multi-site clustering enabled, with one site as 3 indexes, 15Tb disk each, and another site with 2 indexes, 30Tb disk each.
My license is 200Gb and data retention policy is 15Tb or 365 days. Can this result in loss of data ?
Data will not be lost due to ingesting more data or having smaller capacity to ingest data. What will happen is data will be rolled out of Splunk faster. So if you are ingesting 200GB a day, after 1year you have 73TB of data, so a the older buckets will be rolled to frozen, either deleted (by default) or to be processed by a script you may want to run when the time comes for them to be rolled from cold to frozen.
I would think you would need consider a few others as well.
Thanks Lakshman, this is exactly what I have listed as my explanation but still wanted the second opinion.
Thanks much for your explanation.
here we have to consider other factors as well, what is your replication factor ?
If there is no replication factor, and you are only maintaining one replica, the total usage will be as follows,
raw data = 200GB
replica = 200GB
so total of 400GB of data if you are utilizing complete license on daily basis, per year it would be 144 TB. You only have 75 TB of total disk space hence this would result in data loss.
Consider your retention policy is only 15 TB or 365 days which ever comes first , then in that case also the retention policy effects only the searchable data, but even then the data will be lost once you hit 75 TB of the total disk usage.