How does one handle the large CMDB lookup table (cmdbcilist_lookup.csv) that is generated in a large environment. My file reached 844M and caused sync issues as well as filling up the hard drive with old bundles. Any plans to switch this over to the KVStore?
You might hit the same limitations with KVS if CMDB is quite large. We have introduced a new flag in the latest release to eliminate the need for lookups by requesting the data already enriched from SNow APIs. Please check out the troubleshooting section
under: Collect display values directly from the API
So it looks like if you are using the Splunk App for ServiceNow then you are out of luck? Any plans to integrate the API calls into the main app?
So the below pulled from the website linked above is outdated or am I missing something? If the new app supports the new data API, then all I need to do is disable the searches for the 2 lookup tables and everything should be good and working?
Collect display values directly from the API
If you still encounter performance issues after trying all other workarounds, use this more comprehensive alternative. Disable all the saved searches and edit your data collection parameters to collect the display values directly from the API.
Note: This workaround is not compatible with the Splunk App for ServiceNow, which also relies on these saved searches to populate dashboards. The workaround requires editing configuration files, so if you are a Splunk Cloud customer, file a Support ticket for assistance.
On your data collection node, open or create $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/service_now.conf. Change display_value = false to display_value = all. Save the file. On each of your search heads, open or create $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/props.conf. Follow the instructions provided in the default version of this file under each affected stanza to uncomment a set of FIELDALIAS statements and then comment out a corresponding set of LOOKUP statements. Save the file. If they are currently enabled, disable all the saved searches for this add-on in $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/savedsearches.conf Restart each search head. Restart your data collection node.
this is correct. This part of the doc needs to be updated since the App has that covered as part the latest release 4.0.3. We will get the doc fixed