Getting Data In

Splunk not compressed my 500G of data. Why?

clyde772
Communicator

Hey Gurus,

I have a situation where my data that's been stored in my indexers are bigger than the original data. What happened? How could this possible? We did't touch much config where all ciritical conf should be initial config.

Anybody have any ideas?

Thanks!

Tags (1)
0 Karma

Drainy
Champion

Do you have multiple data sources feeding into the indexer? Also have you setup any index time field extractions?

If you are just forwarding data across with no additional stuffs then there must be additional data being added at some point or excessive index time extractions. Roughly you get 50% compression ratio with Splunk (entirely dependent on your data though), Splunk will also create metadata files associated with your indexes that have metafields to speed indexing as well as bloom filters and other files.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...