Deployment Architecture

Disabling KV store

e57dab30
Explorer

I wanted to read up on which roles does need the KV store, which might and wich do not. In the

Admin Manual under About the app key value store, Disable the KV store is stated "... You can disable the KV store on indexers and forwarders, and on any installation that does not have any local apps or local lookups that use the KV store."

I understand it this way: "You can disable the KV store on indexers and forwarders" no exeption or is there a list of exeption which is not mentioned?

The "and on any installation that does not have any local apps or local lookups that use the KV store" part would mean, only then I would need it on instances other then indexers and forwarders if they run apps wich make use of the KV store. But I was assuming that a search head cluster would need a KV store and that SHC-D, Deployer and  Deployment Server would make use of the KV store itself. 

Is there a more detailed doc on which instances utilizes the kv store for what ?

Labels (1)
Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Well... you never know what the developers can come up with. As far as I remember there used to be apps with modular inputs which used KV store to keep some internal state. So in this case you couldn't disable KV store on a HF running such input.

For the other components - depends on what you do on them apart from their basic functionality. Typically DS  on its own should not need KV store. Deployer neither (and I don't think the ES installer would need KV store since it's not a part of the destination SHC to which it will be pushed onto so there would be no point in fiddling with local KV store contents).

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

Well... you never know what the developers can come up with. As far as I remember there used to be apps with modular inputs which used KV store to keep some internal state. So in this case you couldn't disable KV store on a HF running such input.

For the other components - depends on what you do on them apart from their basic functionality. Typically DS  on its own should not need KV store. Deployer neither (and I don't think the ES installer would need KV store since it's not a part of the destination SHC to which it will be pushed onto so there would be no point in fiddling with local KV store contents).

e57dab30
Explorer

Thanks @PickleRick (love the nick name btw.). That helps me putting it a bit into perspective.  I know that apps a often a bit of a wild card but my splunk contacts often tell me to rtfm in regard to splunk es but I coldn't find more detailed info about that question. 

thanks.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Generally the apps come in two flavors.

- Splunk-supported apps - those are typically pretty well written (of course, bugs can happen anywhere but as a general rule of thumb they are decently architected) and well documented. And these are the apps that I can trust meaning that I don't expect them to do something nasty to my environment or want to behave in a completely unpredictable and/or "non-splunky" way.

- Third-party apps - Here you can have anything. And I don't deploy those apps into my environments without looking into the code and configs contained therein. It's not that I suspect authors of purposefuly trying to do somehting bad to my environment but some of them are simply written by people with low level of proficiency. Some time ago in one of the modular inputs that came with one of the apps I came across remains of a code (not active, luckily) which tried to call a search from within a modular input to find out which events it had already ingested instead of keeping a local checkpoint. Most probably the author of that app never worked with anything bigger than all-in-one installation and never even thought that the modular input would be running on a separate machine and have nothing to do with searching.

gcusello
SplunkTrust
SplunkTrust

Hi @e57dab30,

the sense of this affirmation is that KV-Store is mainly required on Search Heads, so on Indexers and Heavy Forwarders (on Universal it isn't present), that don't rquire local lookups,  you can disable KV-Store and avoid to consume some memory.

I know that there are some apps that require KV-Store and give an error if it's disabled, and sometimes these apps must be installed also on Indexers or Heavy Forwarders, but you can disable the lookups to not see the message.

Disabling KV-Store on Indexers and HFs is a best practice that usually PS apply.

Ciao.

Giuseppe

0 Karma

e57dab30
Explorer

Thanks. That confirms what said but what about SHC-D, Deployer and  Deployment Server, do they need the KV store? I think License Master and SHC-D do need it but I did not find a part of the documentation saying something about that. FOund some answers here that might suggest that.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @e57dab30 ,

Surely Deployment Server, I'm not sure for Deployer because some apps (e.g. ES) muste be installed on it.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...