Getting Data In

Kvstore Collection endpoint sort limit

alvaromari83
Path Finder

Hello!

We are using KVStore collections in our apps, making use of the Splunk Rest API Collection Endpoint. For one of the uses, we are fetching data from a kvstore with huge amount of records (500,000>) in a app report panel. To have a goot UX, we wanted to use the mongo collection pagination capabilities that the KVStore collection endpoint provides:

For example: give me page 2 of 10 results per page, sorted by "name" ascending would be:

curl -k -u admin:yourpassword \
    "https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll?sort=name&skip=10&limit=10"

But, when testing this with sort when the number of records to return is 50K or more (not so massive!) throws a mongodb code 17144 exception!:

"Overflow sort stage buffered data
usage of 33554495 bytes exceeds
internal limit of 33554432 bytes"

Googling for this, I found that the cause is that the sorted fields shall be INDEXED in the Mongo Collection, otherwise the sorting would be precached in memory with a 32MB limit. So, I tried to create a INDEX for the sorted field ("name" in the example), with the following property in the collections.conf file:

acceleration.acceleration1={ name: 1}

But... after restarting and repopulating the collection, all seems the same, and the 32MB error is still there! Like the acceleration is not related to the sorting indexing mongo needs... or the acceleration is not working at all.

Have you experimented something like this, or can give advise about what could be happening?

Thank you!

Regards,

Alvaro

0 Karma
1 Solution

alvaromari83
Path Finder

I think I got the problem:

First: accelerations were BAD defined:

This is incorrect and acceleration will not be created: acceleration.acceleration1={ name: 1}
This is correct: acceleration.acceleration1={ "name": 1}

So, doublequoting was missing.

Second: the way to call descending sort is quite strange:

ascending: https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll?sort=name&...
descending: https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll?sort=name:...

This sorting syntax is not documented anywhere in the KVStore API endpoint docs... so this was very confusing.

Thank you!

View solution in original post

alvaromari83
Path Finder

I think I got the problem:

First: accelerations were BAD defined:

This is incorrect and acceleration will not be created: acceleration.acceleration1={ name: 1}
This is correct: acceleration.acceleration1={ "name": 1}

So, doublequoting was missing.

Second: the way to call descending sort is quite strange:

ascending: https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll?sort=name&...
descending: https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll?sort=name:...

This sorting syntax is not documented anywhere in the KVStore API endpoint docs... so this was very confusing.

Thank you!

Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...