Here is what we have:
8 indexers / 4 search heads / each of them are 24 core, 256GB memory and 7.6TB disk
I am trying to understand which of the following gives a better search performance -
[access permissions and retention period are same (35 days)]
Option-1: Single index, multiple sourcetypes each having data anywhere between 75 to 150GB per day.
Option-2: Single index for each of the sourcetypes that exceed 75GB per day.
Splunk documentation never talks about how big an index can be or when is it ideal to create separate indexes (excluding access permissions and retention periods).
My second question is what is the real harm in having too many indexes? What is the maximum number of indexes you have experienced/worked on a specific splunk installation?
Thanks!
↧