Solved: Pre-emptive eviction of buckets on smartstore ?

agdk · ‎04-17-2024

Hi

We have a splunk installation with smart store enabled. We have plenty of cache on disk, so we are no near the space padding setting.

I have seen bucket downloads from the S3, and I did not expect that. So my question is, do Splunk pre-emptive evict buckets, even if there are enough space ? I se no documentation that states it does anything else than LRU.

Regards

André

kiran_panchavat · ‎04-19-2024

@agdkIf you’re observing bucket downloads from S3 unexpectedly, it might be worth investigating further.. Verify that your SmartStore configuration is correctly set up. Ensure that the cache and cold storage volumes are properly configured.?? Confirm that the space padding setting is appropriately adjusted to avoid unnecessary eviction..??

https://docs.splunk.com/Documentation/Splunk/latest/Indexer/TroubleshootSmartStore?_gl=1*j14jj0*_ga*...

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

View solution in original post

kiran_panchavat · ‎04-19-2024

@agdkIf you’re observing bucket downloads from S3 unexpectedly, it might be worth investigating further.. Verify that your SmartStore configuration is correctly set up. Ensure that the cache and cold storage volumes are properly configured.?? Confirm that the space padding setting is appropriately adjusted to avoid unnecessary eviction..??

https://docs.splunk.com/Documentation/Splunk/latest/Indexer/TroubleshootSmartStore?_gl=1*j14jj0*_ga*...

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

agdk · ‎04-21-2024

Yes, it was the padding / max cache size that was the culprit. The calculation I did was wrong.

Thank you

André

Pre-emptive eviction of buckets on smartstore ?

configuration

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout