Getting Data In

Kvstore Collection endpoint sort limit

alvaromari83
Path Finder

Hello!

We are using KVStore collections in our apps, making use of the Splunk Rest API Collection Endpoint. For one of the uses, we are fetching data from a kvstore with huge amount of records (500,000>) in a app report panel. To have a goot UX, we wanted to use the mongo collection pagination capabilities that the KVStore collection endpoint provides:

For example: give me page 2 of 10 results per page, sorted by "name" ascending would be:

curl -k -u admin:yourpassword \
    "https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll?sort=name&skip=10&limit=10"

But, when testing this with sort when the number of records to return is 50K or more (not so massive!) throws a mongodb code 17144 exception!:

"Overflow sort stage buffered data
usage of 33554495 bytes exceeds
internal limit of 33554432 bytes"

Googling for this, I found that the cause is that the sorted fields shall be INDEXED in the Mongo Collection, otherwise the sorting would be precached in memory with a 32MB limit. So, I tried to create a INDEX for the sorted field ("name" in the example), with the following property in the collections.conf file:

acceleration.acceleration1={ name: 1}

But... after restarting and repopulating the collection, all seems the same, and the 32MB error is still there! Like the acceleration is not related to the sorting indexing mongo needs... or the acceleration is not working at all.

Have you experimented something like this, or can give advise about what could be happening?

Thank you!

Regards,

Alvaro

0 Karma
1 Solution

alvaromari83
Path Finder

I think I got the problem:

First: accelerations were BAD defined:

This is incorrect and acceleration will not be created: acceleration.acceleration1={ name: 1}
This is correct: acceleration.acceleration1={ "name": 1}

So, doublequoting was missing.

Second: the way to call descending sort is quite strange:

ascending: https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll?sort=name&...
descending: https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll?sort=name:...

This sorting syntax is not documented anywhere in the KVStore API endpoint docs... so this was very confusing.

Thank you!

View solution in original post

alvaromari83
Path Finder

I think I got the problem:

First: accelerations were BAD defined:

This is incorrect and acceleration will not be created: acceleration.acceleration1={ name: 1}
This is correct: acceleration.acceleration1={ "name": 1}

So, doublequoting was missing.

Second: the way to call descending sort is quite strange:

ascending: https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll?sort=name&...
descending: https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll?sort=name:...

This sorting syntax is not documented anywhere in the KVStore API endpoint docs... so this was very confusing.

Thank you!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...