Knowledge Management

Splunk Smartstore - Can we implement this solution for a framework that consists of multiple unclustered Indexers and if yes, how do we do that?

bvivek18
New Member

Hello Everyone,

Wanted to see if you guys have any inputs or suggestions on this. Recently I and my team attended the Splunk confernce (.conf19) and we went through some sessions of Splunk SmartStore. We wanted to implement this solution in our environment. We created the necessary Epics and starting building some related stories.

SmartStore is an indexer feature that provides a way to use remote object stores, such as Amazon S3, to store indexed data. By reducing reliance on local storage, SmartStore allows us to scale compute and storage resources separately, thus improving the efficiency of resource usage.

We have one of the brands/customers that are using a Splunk instance which consists of multiple Unclustered Indexers.

Wanted to see how would be our best approach to implement SmartStore with this framework i.e Unclustered Indexers, and if its possible to implement this solution and what options do we have on our plate here.

Appreciate any feedback on this.

thank you

vivek

Labels (1)
0 Karma

bvivek18
New Member

This is the feedback I have receieved so far.

  • S2 is meant to be used with clustered indexers; it should reduce the number of cold buckets you need from {replication & search factor} number of buckets to 1.
    While it might work on standalone indexers, you’re not reducing the amount of storage you need. Also, smart store needs an amount of cache per indexer too; there are formulas for that for clusters, but not for standalone.
    I’d be suggesting to your client that they move to clustering first. You don’t have to make the legacy buckets clustered, you can let them age out; PS has ways of making the legacy buckets part of the cluster, though.

  • Also, keep in mind that bandwidth is very important for this to work well and that once buckets are up there(S3), you can not revert. So be sure to only push small amounts to S3 as you begin

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...