Splunk Enterprise

Indexes.conf setting for 90 days retention?

abhi04
Path Finder

Hi All,

I have total of 30 GB of total data to be indexed which after indexing will be 15 GB as per splunk average compressing.

I have a total of 4 indexers with 1 TB of disk space. Can you please let me know the indexes.conf setting on each indexer for a retention of 90 days of searchable data in splunk. Does the below settings work or there can be some improvements that can be made?

 

I got this from the splunk sizing app.

http://splunk-sizing.appspot.com/#ar=0&cdv=1&cr=90&ds=1024&hwr=14&i=4&v=30

 

 

indexes.conf

# volume definitions

 

[volume:hotwarm_cold]
path = /mnt/fast_disk
maxVolumeDataSizeMB = 996148
# index definition (calculation is based on a single index)

[index_name]
homePath = volume:hotwarm_cold/defaultdb/db
coldPath = volume:hotwarm_cold/defaultdb/colddb
thawedPath = $SPLUNK_DB/defaultdb/thaweddb
homePath.maxDataSizeMB = 53760
coldPath.maxDataSizeMB = 345600
maxWarmDBCount = 4294967295
frozenTimePeriodInSecs = 8985600
maxDataSize = auto

 

 

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
This should be fine.
---
If this reply helps you, Karma would be appreciated.
0 Karma

abhi04
Path Finder

@richgalloway , any suggestions regarding the maxHotBuckets and  maxWarmDBCount. Any best practise rearding those? What if I remove these two parameters and the config file looks like below. Will this be better or the previous settings?

 

# index definition (calculation is based on a single index)

[index_name]
homePath = volume:hotwarm_cold/defaultdb/db
coldPath = volume:hotwarm_cold/defaultdb/colddb
thawedPath = $SPLUNK_DB/defaultdb/thaweddb
homePath.maxDataSizeMB = 53760
coldPath.maxDataSizeMB = 345600
frozenTimePeriodInSecs = 8985600
maxDataSize = auto_high_volume

 

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...