Cold tiers and platinum/enterprise licencing

Trying to get my head round tiering and platinum/enterprise licencing

We're a FE college in the UK (very small budget) implementing Elastic Security as our SIEM, running on Elastic Cloud.

Currently running a 2 zone hot tier (~10 days of data) and 1 zone cold tier (~80 days data) with an enterprise licence.

If we dropped to platinum can we still search the data in our cold tier?

I know we'd loose searchable snapshots, but for cold tiers it looks like their primary use is seamless data recovery. Without them if the cold tier suffered any sort of data corruption or loss we would have to manual recover from the non-searchable snapshots?

Thanks in advance!

Hi @cscott welcome to the community and thanks for using elastic cloud.

That cold tier is backed by searchable snapshot which is an enterprise feature which makes having only a primary shards more resilient to failures / errors.

Have you considered putting say only 10 days in cold and then last 70 in Frozen and that would significantly reduce your cost Perhaps even less than going back to Platinum.

Frozen is amazing. It's very performance considering it's being pulled from blob and it's online and searchable.

Of course you can go back to platinum and use hot. Warm warm usually has a primary and replica so it's not especially cost efficient...
If you only use a primary in warm, there is no quick recovery if there is corruption or failure etc...

The cold tier can be used without searchable snapshots, but if I'm not wrong they would be the same thing as warm nodes in terms of disk, but the hardware would have lower specs.

From the documentation.

Alternatively, you can use the cold tier to store regular indices with replicas instead of using searchable snapshots. This lets you store older data on less expensive hardware but doesn’t reduce required disk space compared to the warm tier.

Yes, cold can be used without searchable snapshots but then it's just the same as warm with zero replicas.

In Elastic Cloud it's the exact same hardware between warm and cold So there is no cost savings... I phrased it that way because that's what the OP referenced.

The documentation reference above is for self-managed elasticsearch where you could use cheaper hardware for cold... Without searchable, snapshots and perhaps save money but also take performance hit or reliability hit.

1 Like

Thanks for the advice

Have decided to stick with Enterprise go for 10 days in cold and 70 days in frozen