I wanted to read up on which roles does need the KV store, which might and wich do not. In the
Admin Manual under About the app key value store, Disable the KV store is stated "... You can disable the KV store on indexers and forwarders, and on any installation that does not have any local apps or local lookups that use the KV store."
I understand it this way: "You can disable the KV store on indexers and forwarders" no exeption or is there a list of exeption which is not mentioned?
The "and on any installation that does not have any local apps or local lookups that use the KV store" part would mean, only then I would need it on instances other then indexers and forwarders if they run apps wich make use of the KV store. But I was assuming that a search head cluster would need a KV store and that SHC-D, Deployer and Deployment Server would make use of the KV store itself.
Is there a more detailed doc on which instances utilizes the kv store for what ?
Well... you never know what the developers can come up with. As far as I remember there used to be apps with modular inputs which used KV store to keep some internal state. So in this case you couldn't disable KV store on a HF running such input.
For the other components - depends on what you do on them apart from their basic functionality. Typically DS on its own should not need KV store. Deployer neither (and I don't think the ES installer would need KV store since it's not a part of the destination SHC to which it will be pushed onto so there would be no point in fiddling with local KV store contents).
Well... you never know what the developers can come up with. As far as I remember there used to be apps with modular inputs which used KV store to keep some internal state. So in this case you couldn't disable KV store on a HF running such input.
For the other components - depends on what you do on them apart from their basic functionality. Typically DS on its own should not need KV store. Deployer neither (and I don't think the ES installer would need KV store since it's not a part of the destination SHC to which it will be pushed onto so there would be no point in fiddling with local KV store contents).
Thanks @PickleRick (love the nick name btw.). That helps me putting it a bit into perspective. I know that apps a often a bit of a wild card but my splunk contacts often tell me to rtfm in regard to splunk es but I coldn't find more detailed info about that question.
thanks.
Generally the apps come in two flavors.
- Splunk-supported apps - those are typically pretty well written (of course, bugs can happen anywhere but as a general rule of thumb they are decently architected) and well documented. And these are the apps that I can trust meaning that I don't expect them to do something nasty to my environment or want to behave in a completely unpredictable and/or "non-splunky" way.
- Third-party apps - Here you can have anything. And I don't deploy those apps into my environments without looking into the code and configs contained therein. It's not that I suspect authors of purposefuly trying to do somehting bad to my environment but some of them are simply written by people with low level of proficiency. Some time ago in one of the modular inputs that came with one of the apps I came across remains of a code (not active, luckily) which tried to call a search from within a modular input to find out which events it had already ingested instead of keeping a local checkpoint. Most probably the author of that app never worked with anything bigger than all-in-one installation and never even thought that the modular input would be running on a separate machine and have nothing to do with searching.
Hi @e57dab30,
the sense of this affirmation is that KV-Store is mainly required on Search Heads, so on Indexers and Heavy Forwarders (on Universal it isn't present), that don't rquire local lookups, you can disable KV-Store and avoid to consume some memory.
I know that there are some apps that require KV-Store and give an error if it's disabled, and sometimes these apps must be installed also on Indexers or Heavy Forwarders, but you can disable the lookups to not see the message.
Disabling KV-Store on Indexers and HFs is a best practice that usually PS apply.
Ciao.
Giuseppe
Thanks. That confirms what said but what about SHC-D, Deployer and Deployment Server, do they need the KV store? I think License Master and SHC-D do need it but I did not find a part of the documentation saying something about that. FOund some answers here that might suggest that.
Hi @e57dab30 ,
Surely Deployment Server, I'm not sure for Deployer because some apps (e.g. ES) muste be installed on it.
Ciao.
Giuseppe