Splunk Enterprise

Low Raw To Index Ratio (_audit)


We were investigating some indexes that have low RAW to Index Ratio and came across _audit whose RAW to Index Ratio is 0.81:1.

Screenshot 2021-09-23 at 12.30.02.png

At first glance, _audit seemed a good candidate to learn how to find out if an index has high cardinality and what we can do about it (like tsidx reduction along with bloomfilters). First is not frequently searched to test tsidx reduction or bloomfilters, moreover, it is an index that everyone has in their Splunk installations so, we could benefit from common knowledge. 

We came accross the following numbers about cardinality by taking a sample of the data and using tstats and walklex:

earliestlatestnumber of eventskeywords in lexiconmin number of events per keywordkeywords with min number of eventspercentage of keywords with min number of events
18/09/2021 00:0022/09/2021 24:0057219456764698101766692,61%


Just by looking at the above table it is hard to tell if we are in front of an index whose data changes a lot or not. What is considered a high cardinality index? It would be awesome to have some reference numbers but i was not able to find them anywhere.

Q1: Do we have any reference numbers that once compared to, would unequivocally tell us either or not the bucket is an  high cardinality one? Nonetheless, should we expect Raw to Index Ration to drop bellow 1:1?

Then we went through and inspected the size of the tsidx files against the size of the buckets

indexer vmbucketsize_bytestsidxsize_bytesbucketsize_megabytestsidxsize_megabytes

Results show that the tsidx files take around ~69% of the overall disk space needed to store the _audit index in the indexers

Q2: Once again, is this a sign of high cardinality?

Q3: Lastly, any SEGMENTATION config that is commonly applied to _audit index? 


0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...