Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to estimate the splunk storage size

ajaysamantbms
Explorer
‎05-12-2014 11:31 AM

I will be feeding in 10 GB per day to 2 splunk indexers (clustered environment)
Replication Factor = 2
Searchable Factor = 2

How to estimate the storage size for index data on each indexer?

Assuming data retention policy for search will be around for 1 year.

Tags (2)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-12-2014 02:00 PM

We can estimate to an extent, but it will depend on a variety of factors:

  1. How well your raw data compresses
  2. How big the TSIDX files wind up being for your data
  3. Will you have summary indexes, or search accelerations, or accelerated data models (all of which take up extra space)

We'll make a conservative estimate, assuming that after compression and TSIDX creation your data will be 75% of its original size - and we'll also assume for the time being you will not have any summary or acceleration data...

10GB * 365 days * .75 = 2.8T of space before replication. With ideal load balancing across indexers, each should use 1.4T of space before clustering. Your RF=2/SF=2 clustering across two indexers will mean that each indexer will need 2X that storage, so you'll need 2.8T of storage per indexer.

I would include some extra bytes for filesystem overhead, and other things like your _internal indexes and round it up to 3T.

The only assumption here which is really hard to validate is whether or not your data post-indexing will be 75% of the raw size. For typical IT data, this is a pretty conservative estimate and should leave you some wiggle room. But the only way you'll know for sure is to take say a 1GB sample of your logs and see what they wind up needing space-wise once indexed - then you can adjust the 75% up or down as needed.

Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-12-2014 02:18 PM

GOOD POINT! Each indexer should be getting 5GB/day which is then duplicated 2x to 10GB/day. DERP. I fixed the math. Thanks @martin_mueller!

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-12-2014 02:09 PM

While I agree with most of your calculations, I'd have one difference to ponder: If you have a cluster of 2 with SF of 2, each indexer should be storing 100% of the incoming data - not 200%.

As a result, I'd expect 1.4T per indexer before replication (load balancing forwarders) and 2.8T per indexer after replication

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...