Solved: Pre-emptive eviction of buckets on smartstore ?

agdk

Hi

We have a splunk installation with smart store enabled. We have plenty of cache on disk, so we are no near the space padding setting.

I have seen bucket downloads from the S3, and I did not expect that. So my question is, do Splunk pre-emptive evict buckets, even if there are enough space ? I se no documentation that states it does anything else than LRU.

Regards

André

kiran_panchavat

@agdkIf you’re observing bucket downloads from S3 unexpectedly, it might be worth investigating further.. Verify that your SmartStore configuration is correctly set up. Ensure that the cache and cold storage volumes are properly configured.?? Confirm that the space padding setting is appropriately adjusted to avoid unnecessary eviction..??

https://docs.splunk.com/Documentation/Splunk/latest/Indexer/TroubleshootSmartStore?_gl=1*j14jj0*_ga*...

View solution in original post

kiran_panchavat

@agdkIf you’re observing bucket downloads from S3 unexpectedly, it might be worth investigating further.. Verify that your SmartStore configuration is correctly set up. Ensure that the cache and cold storage volumes are properly configured.?? Confirm that the space padding setting is appropriately adjusted to avoid unnecessary eviction..??

https://docs.splunk.com/Documentation/Splunk/latest/Indexer/TroubleshootSmartStore?_gl=1*j14jj0*_ga*...

agdk

Yes, it was the padding / max cache size that was the culprit. The calculation I did was wrong.

Thank you

André

Pre-emptive eviction of buckets on smartstore ?

configuration

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases