Hey Gurus,
I have a situation where my data that's been stored in my indexers are bigger than the original data. What happened? How could this possible? We did't touch much config where all ciritical conf should be initial config.
Anybody have any ideas?
Thanks!
Do you have multiple data sources feeding into the indexer? Also have you setup any index time field extractions?
If you are just forwarding data across with no additional stuffs then there must be additional data being added at some point or excessive index time extractions. Roughly you get 50% compression ratio with Splunk (entirely dependent on your data though), Splunk will also create metadata files associated with your indexes that have metafields to speed indexing as well as bloom filters and other files.