Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Smartstore hotlist_recency_secs

coreyCLI
Communicator
a week ago

I have an index with the hotlist_recency_secs set to 90 days (7776000 seconds).  In testing I ran searches for the past 30 days.  I noticed in the "Smartstore Cache Performance" dashboard that this 30 days search is triggering "misses".  Meaning that this 30 days search is downloading buckets from S3.  Why would a 30 days search on an index with hotlist_recency_secs set to 90 days need to download buckets for only a 30 day timeframe?  I assume either I have something misconfigured, or more likely, I am not fully understanding the eviction process?  the cachemanager, homePath setting, has 15tb per indexer so I don't believe its running out of space.

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
Monday

You're correct.  Those setting say to use all but 10GB of the 15TB so you should have plenty of storage.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
a week ago

The hotlist_recency_secs setting does not prevent a bucket from being evicted from the cache.  The goal is to keep the bucket in the cache for (at least) that long, but other demands on the cache may force an early eviction.

We can't tell is 15TB is enough cache space without knowing the ingestion rate.  For example, at 1TB/day, it would only hold 15 days of data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

coreyCLI
Communicator
Monday

Tracking.  I have 6 clustered indexers and roughly 300gb per day (right now) of ingest.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
Monday

15TB should be enough at 300GB/day.  Double-check the max_cache_size, min_free_space, and eviction_padding settings to ensure the entire space is available.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

coreyCLI
Communicator
Monday

Settings are defaults:

max_cache_size = 0

minFreeSpace = 5000

eviction_padding = 5120


So, if I am reading and understanding this correctly.  Cachemanager will use the entire 15tb use for homePath and only start evicting buckets using the sum of minFreeSpace + eviction_padding = 10120 MB (roughly 10gb of free space left)?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
Monday

You're correct.  Those setting say to use all but 10GB of the 15TB so you should have plenty of storage.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...