We were investigating some indexes that have low RAW to Index Ratio and came across _audit whose RAW to Index Ratio is 0.81:1.
At first glance, _audit seemed a good candidate to learn how to find out if an index has high cardinality and what we can do about it (like tsidx reduction along with bloomfilters). First is not frequently searched to test tsidx reduction or bloomfilters, moreover, it is an index that everyone has in their Splunk installations so, we could benefit from common knowledge.
We came accross the following numbers about cardinality by taking a sample of the data and using tstats and walklex:
number of events
keywords in lexicon
min number of events per keyword
keywords with min number of events
percentage of keywords with min number of events
Just by looking at the above table it is hard to tell if we are in front of an index whose data changes a lot or not. What is considered a high cardinality index? It would be awesome to have some reference numbers but i was not able to find them anywhere.
Q1: Do we have any reference numbers that once compared to, would unequivocally tell us either or not the bucket is an high cardinality one? Nonetheless, should we expect Raw to Index Ration to drop bellow 1:1?
Then we went through and inspected the size of the tsidx files against the size of the buckets
Results show that the tsidx files take around ~69% of the overall disk space needed to store the _audit index in the indexers
Q2: Once again, is this a sign of high cardinality?
Q3: Lastly, any SEGMENTATION config that is commonly applied to _audit index?