slplunk原始数据和索引数据大小比较

DB目录总大小：2468MB

所有buckets的meta信息在.bucketManifest文件里：

id,path,"raw_size","event_count","host_count","source_count","sourcetype_count","size_on_disk",modtime,"frozen_in_cluster","origin_site","tsidx_minified","journal_size"
"main~0~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481515116_1480695302_0",18823156,110730,1,9,4,13713408,1481524286,0,"",0,3134751
"main~1~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481537316_1481532688_1",2310579,21809,1,2,4,258048,1481537634,0,"",0,16228
"main~2~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481547598_1481539988_2",159000000,1500000,1,1,1,14442496,1481548381,0,"",0,1087536
"main~3~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481617470_1481613403_3",116995120,251105,1,1,1,81010688,1481619151,0,"",0,48120454
"main~4~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481623046_1481619179_4",229333894,502002,1,1,1,126242816,1481630588,0,"",0,92507094
"main~5~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481632042_1481631975_5",931797403,501000,1,1,1,457887744,1481679128,0,"",0,344072139
"main~6~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481679220_1481679167_6",814813719,250000,1,1,1,388202496,1481709892,0,"",0,295944721
"main~7~077F3E61-250B-400C-A192-5866B2C3E1C5","db_1481714661_1481713606_7",3259545592,1000000,1,1,1,1505009664,1482572307,0,"",0,1183963998

 

bone@PEK1000074003:~/splunk/var/lib/splunk/defaultdb/db$ du -sm *|sort -n
1 CreationTime
1 db_1481537316_1481532688_1
1 GlobalMetaData
14 db_1481515116_1480695302_0
14 db_1481547598_1481539988_2
78 db_1481617470_1481613403_3
121 db_1481623046_1481619179_4
371 db_1481679220_1481679167_6
437 db_1481632042_1481631975_5
1436 db_1481714661_1481713606_7

bone@PEK1000074003:~/splunk/var/lib/splunk/defaultdb/db$ du -sm */rawdata/*.gz | sort -n
1 db_1481537316_1481532688_1/rawdata/journal.gz
2 db_1481547598_1481539988_2/rawdata/journal.gz
3 db_1481515116_1480695302_0/rawdata/journal.gz
46 db_1481617470_1481613403_3/rawdata/journal.gz
89 db_1481623046_1481619179_4/rawdata/journal.gz
283 db_1481679220_1481679167_6/rawdata/journal.gz
329 db_1481632042_1481631975_5/rawdata/journal.gz
1131 db_1481714661_1481713606_7/rawdata/journal.gz

 

 

bone@PEK1000074003:~/splunk/var/lib/splunk/defaultdb/db$ du -sm */*.tsidx
8 db_1481515116_1480695302_0/1481365442-1480695302-4858607897345416099.tsidx
1 db_1481515116_1480695302_0/1481515116-1481414314-4858898005396109713.tsidx
1 db_1481537316_1481532688_1/1481537316-1481532688-4860330036580586334.tsidx
12 db_1481547598_1481539988_2/1481546898-1481539988-4861034339343340051.tsidx
2 db_1481547598_1481539988_2/1481547534-1481546898-4860978970915735908.tsidx
1 db_1481547598_1481539988_2/1481547598-1481547534-4861034307055557201.tsidx
26 db_1481617470_1481613403_3/1481617470-1481613403-4865563935922009229.tsidx
3 db_1481617470_1481613403_3/1481617470-1481617458-4865672332245509206.tsidx
32 db_1481623046_1481619179_4/1481619389-1481619179-4865689731273799190.tsidx
1 db_1481623046_1481619179_4/1481623046-1481621223-4866421882884289834.tsidx
88 db_1481632042_1481631975_5/1481632034-1481631975-4866516891972181121.tsidx
17 db_1481632042_1481631975_5/1481632042-1481632011-4866518975138178595.tsidx
74 db_1481679220_1481679167_6/1481679215-1481679167-4869608890403912436.tsidx
11 db_1481679220_1481679167_6/1481679220-1481679210-4871619145803575804.tsidx
1 db_1481679220_1481679167_6/1481679220-1481679220-4871619114239737472.tsidx
291 db_1481714661_1481713606_7/1481714656-1481713606-4928138373543453009.tsidx
10 db_1481714661_1481713606_7/1481714661-1481714639-4928137267800912859.tsidx

 

 

 

发现其索引文件占用很小约总大小的1/4 而数据文件占用了3/4

 

再测试了下：

而通过看rawdata数据文件可知，它是直接将日志数据append到一个文件 对该文件采用gz压缩方式来降低存储空间 

 

测试说明：splunk6.5版本，数据使用500次批量插入，每批数据都不同，大小500条，每条数据50个字段，对应的字符串使用长度为1-10个单词随机生成！