Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Deployment and Indexing Strategy for Large csv Lookup Files

beaumaris
Communicator
‎04-13-2011 09:56 PM

We have a 125MB lookup table as a .csv file with 1.5M rows. This table is re-generated on the Search Head every 4 hours. The strategy is to deploy this csv (along with any other changed files in the deployed app) to the Indexer when it changes. The first set of experiments has resulted in slow deployment and lookup outages; the Indexer Summary Indexes cannot do a lookup when the deployment is in progress and prior to the on-disk index being built.

Several questions about deployment strategy and large lookup tables:

1) The primary issue is that there is a gap in availability of the lookup table during and slightly after it is deployed to the indexer. Splunk needs time to build the on-disk index structure. The time to deploy and prepare the index can take 5-10 mins. What steps could be taken to reduce the this time?

2) The threshold for creating an on-disk index directory defaults to 10M lookup table size. Any harm in increasing that to 100M assuming there is enough memory? The assumption is the on-disk index will not be built, it will reside in memory. Will the lookup be available while the index is being prepared?

3) For large csv lookup files, what triggers the on-disk index structure to be built? Is there any control over that timing? By observation we have noticed that is does not build the index until a lookup is attempted and the lookups will fail until the index is ready.

4) Any specific steps to increase priority and improve the transfer speed on certain files for deployment?

Tags (3)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-14-2011 03:50 AM

There are a few things here.

First, a 125 MB lookup file should take maybe 30 seconds to index, not 5 to 10 minutes. Second lookup tables (and the entire app config, but lookup tables files and their indexes, so the indexing is only done once) are pushed out to indexers from the search head automatically when they change. Sending them out via Deployment Server doesn't really do anything, and they are not used when you run queries. Instead, the one that is replicated out by the search head is used instead. If you're seeing lags, it's possible that it's actually the replication that is slow. There are a couple of solutions here. The first is to disable replication and use NFS or other file sharing (probably not Deployment Server) to make the lookup available to the indexers. This can be done in versions below 4.2, but is a bit undocumented. In 4.2, there are settings for it in distsearch.conf. In 4.2, you can also try using asynchronous replication, which will prevent stalls.

0 Karma
Reply

tpsplunk
Communicator
‎06-15-2011 03:19 PM

how do you use asynchronous replication?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...