1 00:00:00,360 --> 00:00:07,320 Finally, there is one last option which is used for determining your storage. 2 00:00:09,040 --> 00:00:14,820 Till now we are learned license, a license size, number of indexes, number of searches, a B for 3 00:00:14,830 --> 00:00:17,740 the deployment server and a license manager. 4 00:00:18,840 --> 00:00:24,630 Including why we need to clustering and high availability options. 5 00:00:24,660 --> 00:00:28,080 We will now go forward for calculating storage. 6 00:00:28,680 --> 00:00:36,390 The storage is the important part of your indexes and the storage should have always greater than 200 7 00:00:36,390 --> 00:00:37,350 IOPS. 8 00:00:39,860 --> 00:00:42,320 For getting a rough estimate on storage. 9 00:00:44,050 --> 00:00:45,160 For Indexer. 10 00:00:45,190 --> 00:00:48,520 The link mentioned in the document should be. 11 00:00:49,910 --> 00:00:58,880 Take you straight into calculating the index's storage, which has been used by most of the Splunk consultants. 12 00:01:01,580 --> 00:01:06,590 And this is not officially any way connected to Splunk or Splunk authorizers. 13 00:01:06,800 --> 00:01:13,040 You can see it's not supported by Splunk, and it is completely independent, probably built by one 14 00:01:13,040 --> 00:01:16,600 of the Splunk to help other fellow Splunk us. 15 00:01:18,510 --> 00:01:26,070 This is a very good site for getting a rough estimate of storage per index. 16 00:01:26,260 --> 00:01:28,680 Indexer When I say rough estimates, it's accurate. 17 00:01:28,680 --> 00:01:31,710 Like 18 90% does not complete rough. 18 00:01:32,350 --> 00:01:32,530 Okay. 19 00:01:32,640 --> 00:01:36,570 So we are getting like 80 to 90% of accurate storage as of now. 20 00:01:36,570 --> 00:01:42,060 In my whole experience of 4 to 5 years, I've been using this site and I have not face any miscalculations 21 00:01:42,060 --> 00:01:43,530 or misjudgment. 22 00:01:43,530 --> 00:01:47,320 Well, assigning a storage, we can consider that as a good example. 23 00:01:47,340 --> 00:01:53,580 Most of the time when I go to a customer and ask them, What is your block size you need? 24 00:01:53,580 --> 00:01:57,760 They can't understand or they can't give a straight answer from losses. 25 00:01:57,780 --> 00:02:04,590 Few of them, they give us size by events per second because most of the traditional SIM solutions, 26 00:02:04,590 --> 00:02:09,720 they were like queue and let's ask site and logarithm. 27 00:02:09,720 --> 00:02:12,820 They were using IP as though they were familiar with CPS. 28 00:02:12,900 --> 00:02:18,420 They will come back and say to you that I have five K or four K or even two K event. 29 00:02:18,420 --> 00:02:19,590 So what do you do? 30 00:02:19,710 --> 00:02:23,600 You visit the site, check on this box size experiment. 31 00:02:23,610 --> 00:02:27,560 It will give you a rough estimate of how much license you need. 32 00:02:27,570 --> 00:02:31,050 Probably you can go up to 60 gig and in the case of two K. 33 00:02:31,930 --> 00:02:35,130 And if you choose Spike, it'll get around 115 gig. 34 00:02:35,140 --> 00:02:38,050 You can add 10% buffer and you can go up to 130. 35 00:02:38,410 --> 00:02:42,730 This is how you calculate as a r direct and define the. 36 00:02:42,880 --> 00:02:45,550 This is what my licensing I need. 37 00:02:46,120 --> 00:02:48,750 The next concept become is data retention. 38 00:02:48,760 --> 00:02:50,800 This depends on completely your policy. 39 00:02:50,830 --> 00:02:53,780 Let's say I need six months of data. 40 00:02:53,800 --> 00:02:56,680 I'll choose three months or three months cold. 41 00:02:56,830 --> 00:02:57,880 We'll be going through. 42 00:02:57,880 --> 00:02:58,420 What is this? 43 00:02:58,420 --> 00:03:07,030 Hot, cold, archived frozen retention, how to calculate them, how to configure them. 44 00:03:07,030 --> 00:03:12,820 And later part when we dive deep into indexers and see how it operates and stuff. 45 00:03:13,120 --> 00:03:19,060 For now, consider this as the time which you need to keep your data in Splunk. 46 00:03:20,180 --> 00:03:27,170 Let's say I need three plus three, six months of data and we are not going to use any premium maps. 47 00:03:27,170 --> 00:03:34,250 If you use you can choose one of them and considerably the architecture or it recommends like as you 48 00:03:34,250 --> 00:03:37,910 can see, Splunk, Enterprise Security, it's one of the premium apps. 49 00:03:37,910 --> 00:03:41,290 It will recommend 100 GB per indexer. 50 00:03:44,030 --> 00:03:47,210 This should be automatically updated yet. 51 00:03:47,840 --> 00:03:49,220 Here you can see. 52 00:03:52,440 --> 00:03:58,590 It says it requires 5.1 TB storage per indexer. 53 00:04:00,300 --> 00:04:01,200 So totally. 54 00:04:01,200 --> 00:04:03,090 You need like 100 TB. 55 00:04:05,450 --> 00:04:12,740 So here it is saying we need only one indexer, because if you choose Splunk Enterprise, it says maximum 56 00:04:12,740 --> 00:04:15,170 volume per indexer, you can go up to 100 GB. 57 00:04:17,100 --> 00:04:18,720 Will you choose without anything? 58 00:04:19,780 --> 00:04:24,400 So it says it can handle up to 300 GB, but we know how it works. 59 00:04:24,400 --> 00:04:30,070 The storage configuration, if you have like separate volumes mounted for it, you can mention them. 60 00:04:30,370 --> 00:04:34,510 But as of now, the only important number is 10.2 TB. 61 00:04:34,990 --> 00:04:40,030 Your calculated your storage requirement based on EPS, let's say I'll come back. 62 00:04:40,450 --> 00:04:42,700 I have 100 GB of license. 63 00:04:43,850 --> 00:04:45,650 I need six months retention. 64 00:04:45,830 --> 00:04:47,360 I'll come back here and check. 65 00:04:48,830 --> 00:04:53,000 The storage required for indexers is 8.8 TB. 66 00:04:54,810 --> 00:04:58,530 So this is how you calculate the storage requirement for your. 67 00:04:59,470 --> 00:05:00,430 Indexes.