Splunk Enterprise

how much storage we can save by enabling frozen bucket concept and roll over data from cold bucket


how much storage we can save by enabling frozen bucket and roll over data from cold bucket.

We have tons of data coming in and instead of storing data in cold db for 1 year ,we want to store it in cold db for 3 months max and older than that we will move to frozen bucket , but by enabling that we would like to understand how much storage we can save if we store 9 months data in frozen and retrieve it whenever required.

Example: you can take 3 TB coming in per day ,we have 14 indexers ,multi site cluster (R.F-2, S.F-1).
We would like to keep data till 3 months (max) in hot\warm\cold DB then we would store that frozen DB.
what would be compression factor if we do that , is it gonna save some storage or it will consume same storage that

Labels (1)
0 Karma

It depends. If you leave the frozen buckets on the same storage device then you're just saving yourself the metadata that is discarded when buckets are frozen. That's about 15% of the original data size.
If you move the frozen buckets to a different storage device then you'll save roughly 75%.
Buckets are already compressed so freezing them does not change the compression factor.
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...