For SmartStore with ES, which requires local disk ...

dm1 · ‎09-22-2021

I am currently working on the architecture design for our Splunk platform in AWS

We have ES and are planning to leverage Smart Store for low cost data retention. I was reading through the pre-reqs of Smart Store. and one of the pre-reqs states, "For SmartStore use with Splunk Enterprise Security, confirm that you have enough local storage available to accommodate 90 days of indexed data, instead of the 30 days otherwise recommended. See Local storage requirements."

Now if our data retention requirement itself is a total 90 days worth of data, out of which we are planning to store 50 days worth of data on local fast storage (to save on cost which is the whole idea behind using SS) but if local disk for 90 days worth of indexed data is mandatory, is it even worth considering S3 ?

Could anyone please help with some advice on this ?

richgalloway · ‎09-22-2021

90 days of local cache is not mandatory for ES. It may, however, be necessary. It depends on your datamodel accelerations. By default, many have a summary range of 3 months, which is where the 90-day recommendation comes from. If you've tuned your datamodels down then you may get away with a smaller cache.

---
If this reply helps you, Karma would be appreciated.

For SmartStore with ES, which requires local disk for 90 days eq. of data, what if our retentn req is total 90 days ?s ?

installation

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!