Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How does Splunk estimate the total raw data size?

srajarat2
Path Finder
‎01-22-2017 01:21 AM

I had just setup Splunk with indexer clustering (RF-3, SF-2) with no data and initially loaded 1TB of syslog file using oneshot. The "Index Detail: Deployment" page showed that the total index size is 1121GB whereas the total raw data size (uncompressed) as 1783GB and hence the Raw to Index Size Ratio at 1.59:1.

My question is how is it possible for 1024GB (1TB) file to be treated as 1783GB?

0 Karma
Reply

somesoni2
Revered Legend
‎01-22-2017 12:52 PM

The index size doesn't only depends upon the uncompressed raw data size. The Splunk create a compressed raw data files, as well as, a set of index files to make it searchable. The index consists of both these type of files. The compression ratio of raw data files and size of index files depends upon various factor. For more information, see following documentation. (see 2nd link for example of how Splunk calculates space).

http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/HowSplunkstoresindexes
http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Systemrequirements#Storage_requirement_exa...

0 Karma
Reply

srajarat2
Path Finder
‎01-22-2017 06:59 PM

Sorry, if I was not clear. I am not asking about the index size. I do understand the sizing calculations on rawdata (RF) and tsidx (SF) in a clustered indexer mode. My question is specifically on the page "Index Detail: Deployment" page which shows the following information under "Index Structure Overview" (in 6.5.1).

  8 (Indexers)        1121GB (Total Index Size)     1783GB (Total Raw Data size (uncompressed))                                          1.59:1 (Raw to Index Size Ratio)

My question is specifically on how Splunk measures the "Total Raw Data size (uncompressed)" as I just ingested a 1024GB syslog file and I was hoping to see that as the total raw data size and not 1783GB.

0 Karma
Reply

srajarat2
Path Finder
‎01-22-2017 07:25 PM

You can see the screenshot here.

alt text

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...