Re: index storage config

dall · ‎12-23-2020

Hi

We have a stand alone environment in which daily 100 GB data will be ingested, just want to know what would be the best index storage configuration in indexes.conf.

i have no. of indexes

i want to configure like this

[active-directory]

homePath= $SPLUNK_DB/active_directory/db

coldPath= $SPLUNK_DB/active_directory/colddb

thawedPath= $SPLUNK_DB/active_directory/thaweddb

maxHotBuckets=3

maxDataSize=300

maxWarmDBCount=300

maxTotalDataSizeMB=200000

frozenTimePeriodInSecs=172800

coldToFrozenDir= $SPLUNK_DB/ active_directory /frozendb

Can someone will help with suitable configuration, and what would be the disk space required to storage

if i ll config foe all indexes , ll i face any disk space issue??

gcusello · ‎12-23-2020

HI @dall,

only one information: do you really want to setup a retention of only two days?

Anyway, storage requiremnt is the following:

V = average of daily indexed logs (you can use also your license value);
C = compression factor: 0.5
R = retention (in days);
N = number of Indexers (1).

So your storage requiement is:

S = V * C * R / N = 100 * 0.5 * 2 / 1 = 100GB

Ciao.

Giuseppe

index storage config

other

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio