Solved: KV Store share among 2 SearchHeads and a Heavy fow...

myfriendhenry · ‎04-17-2019

I have DB_Connect running only on the Heavy Forwarder. (Got that working)
I want to get a single value from a database (A Date Value), store it in the KV-Store on the Heavy Forwarder (I know how to do that)
I want that Key/Value to be available to both of my (non-clustered) Search Heads. - HOW TO DO THIS?

To clarify a bit. I want to put this value in a dashboard and don't want the query run directly from it.

1. I don't want search heads accessing the database
2. This should also yield somewhat better dashboard performance.

Would like the process to be something like this:
Scheduled DBXQuery Updates K/Value on HF | HF Replicates K/Value to Search Heads | Dashboard Queries K/Value

starcher · ‎04-17-2019

https://splunkbase.splunk.com/app/3519/

Use that as an alert action on the the HF. Send to a kvstore on the SH.
Your search would simply be an inputlookup of the HF local lookup table with the alert action attached.

View solution in original post

starcher · ‎04-17-2019

https://splunkbase.splunk.com/app/3519/

Use that as an alert action on the the HF. Send to a kvstore on the SH.
Your search would simply be an inputlookup of the HF local lookup table with the alert action attached.

myfriendhenry · ‎04-18-2019

Awesome, this appears to be the missing link.

myfriendhenry · ‎04-18-2019

100% working, thank you!

KV Store share among 2 SearchHeads and a Heavy fowarder

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

KV Store share among 2 SearchHeads and a Heavy fowarder

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!