Which of the following will cause the greatest reduction in disk size requirements for a cluster of N indexers running Splunk Enterprise Security?
Which of the following will cause the greatest reduction in disk size requirements for a cluster of N indexers running Splunk Enterprise Security?
Setting the cluster search factor to N-1 will cause the greatest reduction in disk size requirements for a cluster of N indexers running Splunk Enterprise Security. This is because replicated copies of non-searchable data are smaller than copies of searchable data, as they include only the data and not the associated index files. Reducing the search factor directly impacts the storage of these larger searchable indexes, thus significantly reducing the overall disk size requirements.
Replicated copies of non-searchable data are smaller than copies of searchable data, because they include only the data and not the associated index files. So setting search factor to n-1 has a greater reduction.
Seems the question assumes SF is always smaller than RF, while RF in example in https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Systemrequirements equal to cluster size, e.g. 3 peer nodes, with replication factor = 3; search factor = 2 5 peer nodes, with replication factor = 5; search factor = 3 In these cases, setting SF=N-1 will increase disk usage instead, while since RF=N in both cases, setting RF=N-1 will reduce disk usage. Is that why having answer = D ?
Answer A is correct
Answer A
Answer A seems correct as Replicated copies of non-searchable data are smaller than copies of searchable data, because they include only the data and not the associated index files.
TSIDX files are bigger than the raw data, so A is the correct answer. If you reduce the number of searchable data copies you will have a greater impact on storage savings. We are assuming that the current search_factor=N and replication_factor=N. Reference: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#:~:text=Replicated%20copies%20of%20non%2Dsearchable%20data%20are%20smaller%20than%20copies%20of%20searchable%20data%2C%20because%20they%20include%20only%20the%20data%20and%20not%20the%20associated%20index%20files.
IMHO the question is tricky and has a massive 'it depends' in it, but considering N could be any cluster size, let's assume we have a requirement of 2 searchable copies and a replication factor of 4(=4x raw data distributed accross the nodes total) and a cluster with 50 peer nodes => so you set it with A) to 49(!) full sized searchable copies D) to 49(!) smaller sized raw copies in contrast "C) Decreasing the data model acceleration range." would actually DECREASE consumed storage
Replication factor (RF) is the number of copies of a bucket. Search factor (SF) is the number of those copies which are searchable. You can't search more copies than you have so SF must be less than or equal to RF. By reducing RF to N-1 you are automatically reducing the SF to N-1. So answer is D.
D is the right answer. Replication factor is RECOMMENDED to be set at 1 less than the number of peer nodes (N-1)
Pg 94, Architecting Splunk Enterprise Deployments, "Best Practice: Minimum (RF +1) peer nodes. You have a replication factor of 3, then you want 4 peer nodes, not one less.
Answer: A
Answer A seems correct as Replicated copies of non-searchable data are smaller than copies of searchable data, because they include only the data and not the associated index files.
A is the correct Answer
page 26 | Cluster