Re: Indexes.conf setting for 90 days retention?

abhi04 · ‎06-11-2020

Hi All,

I have total of 30 GB of total data to be indexed which after indexing will be 15 GB as per splunk average compressing.

I have a total of 4 indexers with 1 TB of disk space. Can you please let me know the indexes.conf setting on each indexer for a retention of 90 days of searchable data in splunk. Does the below settings work or there can be some improvements that can be made?

I got this from the splunk sizing app.

http://splunk-sizing.appspot.com/#ar=0&cdv=1&cr=90&ds=1024&hwr=14&i=4&v=30

indexes.conf

# volume definitions

[volume:hotwarm_cold]

path = /mnt/fast_disk

maxVolumeDataSizeMB = 996148

# index definition (calculation is based on a single index)

[index_name]
homePath = volume:hotwarm_cold/defaultdb/db
coldPath = volume:hotwarm_cold/defaultdb/colddb
thawedPath = $SPLUNK_DB/defaultdb/thaweddb
homePath.maxDataSizeMB = 53760
coldPath.maxDataSizeMB = 345600
maxWarmDBCount = 4294967295
frozenTimePeriodInSecs = 8985600
maxDataSize = auto

richgalloway · ‎06-11-2020

This should be fine.

---
If this reply helps you, Karma would be appreciated.

abhi04 · ‎06-11-2020

@richgalloway , any suggestions regarding the maxHotBuckets and maxWarmDBCount. Any best practise rearding those? What if I remove these two parameters and the config file looks like below. Will this be better or the previous settings?

# index definition (calculation is based on a single index)

[index_name]
homePath = volume:hotwarm_cold/defaultdb/db
coldPath = volume:hotwarm_cold/defaultdb/colddb
thawedPath = $SPLUNK_DB/defaultdb/thaweddb
homePath.maxDataSizeMB = 53760
coldPath.maxDataSizeMB = 345600
frozenTimePeriodInSecs = 8985600
maxDataSize = auto_high_volume

Indexes.conf setting for 90 days retention?

configuration

using Splunk Enterprise

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!