slplunk原始数据和索引数据大小比较-白红宇

DB目录总大小：2468MB

所有buckets的meta信息在.bucketManifest文件里：

id,path,"raw_size","event_count","host_count","source_count","sourcetype_count","size_on_disk",modtime,"frozen_in_cluster","origin_site","tsidx_minified","journal_size"

"main~0~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481515116_1480695302_0",18823156,110730,1,9,4,13713408,1481524286,0,"",0,3134751

"main~1~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481537316_1481532688_1",2310579,21809,1,2,4,258048,1481537634,0,"",0,16228

"main~2~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481547598_1481539988_2",159000000,1500000,1,1,1,14442496,1481548381,0,"",0,1087536

"main~3~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481617470_1481613403_3",116995120,251105,1,1,1,81010688,1481619151,0,"",0,48120454

"main~4~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481623046_1481619179_4",229333894,502002,1,1,1,126242816,1481630588,0,"",0,92507094

"main~5~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481632042_1481631975_5",931797403,501000,1,1,1,457887744,1481679128,0,"",0,344072139

"main~6~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481679220_1481679167_6",814813719,250000,1,1,1,388202496,1481709892,0,"",0,295944721

"main~7~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481714661_1481713606_7",3259545592,1000000,1,1,1,1505009664,1482572307,0,"",0,1183963998

bone@PEK1000074003:~/splunk/var/lib/splunk/defaultdb/db$ du -sm *|sort -n

1 CreationTime

1 db_1481537316_1481532688_1

1 GlobalMetaData

14 db_1481515116_1480695302_0

14 db_1481547598_1481539988_2

78 db_1481617470_1481613403_3

121 db_1481623046_1481619179_4

371 db_1481679220_1481679167_6

437 db_1481632042_1481631975_5

1436 db_1481714661_1481713606_7

bone@PEK1000074003:~/splunk/var/lib/splunk/defaultdb/db$ du -sm */rawdata/*.gz | sort -n

1 db_1481537316_1481532688_1/rawdata/journal.gz

2 db_1481547598_1481539988_2/rawdata/journal.gz

3 db_1481515116_1480695302_0/rawdata/journal.gz

46 db_1481617470_1481613403_3/rawdata/journal.gz

89 db_1481623046_1481619179_4/rawdata/journal.gz

283 db_1481679220_1481679167_6/rawdata/journal.gz

329 db_1481632042_1481631975_5/rawdata/journal.gz

1131 db_1481714661_1481713606_7/rawdata/journal.gz

bone@PEK1000074003:~/splunk/var/lib/splunk/defaultdb/db$ du -sm */*.tsidx

8 db_1481515116_1480695302_0/1481365442-1480695302-4858607897345416099.tsidx

1 db_1481515116_1480695302_0/1481515116-1481414314-4858898005396109713.tsidx

1 db_1481537316_1481532688_1/1481537316-1481532688-4860330036580586334.tsidx

12 db_1481547598_1481539988_2/1481546898-1481539988-4861034339343340051.tsidx

2 db_1481547598_1481539988_2/1481547534-1481546898-4860978970915735908.tsidx

1 db_1481547598_1481539988_2/1481547598-1481547534-4861034307055557201.tsidx

26 db_1481617470_1481613403_3/1481617470-1481613403-4865563935922009229.tsidx

3 db_1481617470_1481613403_3/1481617470-1481617458-4865672332245509206.tsidx

32 db_1481623046_1481619179_4/1481619389-1481619179-4865689731273799190.tsidx

1 db_1481623046_1481619179_4/1481623046-1481621223-4866421882884289834.tsidx

88 db_1481632042_1481631975_5/1481632034-1481631975-4866516891972181121.tsidx

17 db_1481632042_1481631975_5/1481632042-1481632011-4866518975138178595.tsidx

74 db_1481679220_1481679167_6/1481679215-1481679167-4869608890403912436.tsidx

11 db_1481679220_1481679167_6/1481679220-1481679210-4871619145803575804.tsidx

1 db_1481679220_1481679167_6/1481679220-1481679220-4871619114239737472.tsidx

291 db_1481714661_1481713606_7/1481714656-1481713606-4928138373543453009.tsidx

10 db_1481714661_1481713606_7/1481714661-1481714639-4928137267800912859.tsidx

发现其索引文件占用很小约总大小的1/4 而数据文件占用了3/4

再测试了下：

而通过看rawdata数据文件可知，它是直接将日志数据append到一个文件对该文件采用gz压缩方式来降低存储空间

测试说明：splunk6.5版本，数据使用500次批量插入，每批数据都不同，大小500条，每条数据50个字段，对应的字符串使用长度为1-10个单词随机生成！

本文转自张昺华-sky博客园博客，原文链接：http://www.cnblogs.com/bonelee/p/6381746.html，如需转载请自行联系原作者