https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/507874#M8985 <P>What is the maximum recommended size for asset/identity lookups?</P><P><A href="https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/assetandidentityframework/" target="_blank" rel="noopener">https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/assetandidentityframework/</A>&nbsp;</P><P>I've had issues with Splunk handling large numbers of assets and/or identities.&nbsp; I increased the maximum bundle size to 4GB, but still had to distribute the entire huge bundle every time an identity changed.</P><P>Is there an option to use a KV store for assets &amp; identities? Or a way to update them with a diff, rather than pushing the entire lookup?</P><P>Is there a memory requirement for a certain number of&nbsp;assets &amp; identities? Or any related performance impact for having a large number of assets &amp; identities?</P> Tue, 07 Jul 2020 15:48:09 GMT malvidin 2020-07-07T15:48:09Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/507874#M8985 <P>What is the maximum recommended size for asset/identity lookups?</P><P><A href="https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/assetandidentityframework/" target="_blank" rel="noopener">https://dev.splunk.com/enterprise/docs/developapps/enterprisesecurity/assetandidentityframework/</A>&nbsp;</P><P>I've had issues with Splunk handling large numbers of assets and/or identities.&nbsp; I increased the maximum bundle size to 4GB, but still had to distribute the entire huge bundle every time an identity changed.</P><P>Is there an option to use a KV store for assets &amp; identities? Or a way to update them with a diff, rather than pushing the entire lookup?</P><P>Is there a memory requirement for a certain number of&nbsp;assets &amp; identities? Or any related performance impact for having a large number of assets &amp; identities?</P> Tue, 07 Jul 2020 15:48:09 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/507874#M8985 malvidin 2020-07-07T15:48:09Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/507885#M8986 Try to keep bundle size below 1GB. Beyond that you'll have problems.<BR />Blacklist the A&amp;I lookups from the bundle and push them to the indexers using a different method (scp via a cron job, for example). Tue, 07 Jul 2020 17:02:06 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/507885#M8986 richgalloway 2020-07-07T17:02:06Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/508005#M8995 <P>Thanks for the help.</P><P>With large A&amp;I lookups, does Splunk provide memory recommendation for acceptable performance?</P><P>For example, if my asset list only contains&nbsp;ip<SPAN>,&nbsp;dns,&nbsp;priority,&nbsp;bunit,&nbsp; andcategory, how many Class A networks can I put in the lookup if the networks are 50% allocated?</SPAN></P> Wed, 08 Jul 2020 08:32:02 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/508005#M8995 malvidin 2020-07-08T08:32:02Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/508064#M8997 The guidance is to keep bundle sizes below 1GB. Wed, 08 Jul 2020 12:32:11 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/508064#M8997 richgalloway 2020-07-08T12:32:11Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/508600#M9003 <P>I don't know if I can stay under that size, or even under 4GB, but I understand that is the recommended limit.</P> Sat, 11 Jul 2020 11:37:19 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/508600#M9003 malvidin 2020-07-11T11:37:19Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/508607#M9004 Like I said in my first reply, if you keep large lookup files out of the bundle it will help keep the bundle size down. Sat, 11 Jul 2020 12:33:12 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/508607#M9004 richgalloway 2020-07-11T12:33:12Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/508608#M9005 <P>Thanks for clarifying that. Can KV lookups be distributed through different channels, like scp?</P> Sat, 11 Jul 2020 12:37:49 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/508608#M9005 malvidin 2020-07-11T12:37:49Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/508618#M9006 KVStore collections are not included in the search bundle. Sat, 11 Jul 2020 16:49:36 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Maximum-Asset-amp-Identity-Lookup-Size/m-p/508618#M9006 richgalloway 2020-07-11T16:49:36Z