IMPORTANT NOTE: Timing of sessions and room locations are subject to change.
The Sched app allows you to build your schedule but is not a substitute for your event registration. In order to attend OpenSearchCon Europe 2026, please visit our website to register.
This schedule is automatically displayed in Central European Summer Time (UTC+02:00). To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.
Sign up or log in to add sessions to your schedule and sync them to your phone or calendar.
This talk shares a hands-on journey of building and operating a large-scale OpenSearch platform in a strictly on-premises, VM-based environment. What started as an urgent Splunk replacement evolved into a Managed Detection and Response (MDR) logging platform for high ingestion rates (~40GB to 1.2TB/day per customer).
The session focuses on real operational challenges and experiences: sizing and sharding decisions, gaps in official documentation, and the realities of owning OpenSearch end-to-end. Initially using Terraform to deploy and manual bootstrapping.
The talk includes a migration failure story from our biggest cluster, caused by accidental double ingestion, bad sizing and snapshot-induced OOMs.
At the end we have automated deployments, bootstrapping, ISM, snapshots, tiering, SSO-based access control, searchable-snapshots(on-prem S3) and automation. Due to limitations in ISM we built a custom lifecycle automation script via an operator-like pipeline and an opensearchcli binary.
Attendees gain a realistic view of running OpenSearch at scale on-prem, including lessons learned the hard way.
