Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Disabling KV store

e57dab30
Explorer
‎07-13-2023 10:38 PM

I wanted to read up on which roles does need the KV store, which might and wich do not. In the

Admin Manual under About the app key value store, Disable the KV store is stated "... You can disable the KV store on indexers and forwarders, and on any installation that does not have any local apps or local lookups that use the KV store."

I understand it this way: "You can disable the KV store on indexers and forwarders" no exeption or is there a list of exeption which is not mentioned?

The "and on any installation that does not have any local apps or local lookups that use the KV store" part would mean, only then I would need it on instances other then indexers and forwarders if they run apps wich make use of the KV store. But I was assuming that a search head cluster would need a KV store and that SHC-D, Deployer and  Deployment Server would make use of the KV store itself. 

Is there a more detailed doc on which instances utilizes the kv store for what ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2023 06:18 AM

Well... you never know what the developers can come up with. As far as I remember there used to be apps with modular inputs which used KV store to keep some internal state. So in this case you couldn't disable KV store on a HF running such input.

For the other components - depends on what you do on them apart from their basic functionality. Typically DS  on its own should not need KV store. Deployer neither (and I don't think the ES installer would need KV store since it's not a part of the destination SHC to which it will be pushed onto so there would be no point in fiddling with local KV store contents).

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2023 06:18 AM

Well... you never know what the developers can come up with. As far as I remember there used to be apps with modular inputs which used KV store to keep some internal state. So in this case you couldn't disable KV store on a HF running such input.

For the other components - depends on what you do on them apart from their basic functionality. Typically DS  on its own should not need KV store. Deployer neither (and I don't think the ES installer would need KV store since it's not a part of the destination SHC to which it will be pushed onto so there would be no point in fiddling with local KV store contents).

Reply
Solved! Jump to solution

e57dab30
Explorer
‎07-18-2023 04:15 AM

Thanks @PickleRick (love the nick name btw.). That helps me putting it a bit into perspective.  I know that apps a often a bit of a wild card but my splunk contacts often tell me to rtfm in regard to splunk es but I coldn't find more detailed info about that question. 

thanks.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-18-2023 04:26 AM

Generally the apps come in two flavors.

- Splunk-supported apps - those are typically pretty well written (of course, bugs can happen anywhere but as a general rule of thumb they are decently architected) and well documented. And these are the apps that I can trust meaning that I don't expect them to do something nasty to my environment or want to behave in a completely unpredictable and/or "non-splunky" way.

- Third-party apps - Here you can have anything. And I don't deploy those apps into my environments without looking into the code and configs contained therein. It's not that I suspect authors of purposefuly trying to do somehting bad to my environment but some of them are simply written by people with low level of proficiency. Some time ago in one of the modular inputs that came with one of the apps I came across remains of a code (not active, luckily) which tried to call a search from within a modular input to find out which events it had already ingested instead of keeping a local checkpoint. Most probably the author of that app never worked with anything bigger than all-in-one installation and never even thought that the modular input would be running on a separate machine and have nothing to do with searching.

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-13-2023 11:12 PM

Hi @e57dab30,

the sense of this affirmation is that KV-Store is mainly required on Search Heads, so on Indexers and Heavy Forwarders (on Universal it isn't present), that don't rquire local lookups,  you can disable KV-Store and avoid to consume some memory.

I know that there are some apps that require KV-Store and give an error if it's disabled, and sometimes these apps must be installed also on Indexers or Heavy Forwarders, but you can disable the lookups to not see the message.

Disabling KV-Store on Indexers and HFs is a best practice that usually PS apply.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

e57dab30
Explorer
‎07-14-2023 02:53 AM

Thanks. That confirms what said but what about SHC-D, Deployer and  Deployment Server, do they need the KV store? I think License Master and SHC-D do need it but I did not find a part of the documentation saying something about that. FOund some answers here that might suggest that.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-14-2023 03:00 AM

Hi @e57dab30 ,

Surely Deployment Server, I'm not sure for Deployer because some apps (e.g. ES) muste be installed on it.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...