In some circumstances, (specifically with lookups and the dedup command), there were huge memory, performance and crashing issues.
I had cases open through many of the 7.1 -7.2x branches, all of which have cleared up with 7.2.4
I would encourage you to test 7.1 throughly to see if you will suffer from these issues, or consider jumping to the latest 188.8.131.52
Support said -
-- What you were told in Answers is true!
There were quite a few issues with memory throughout 7.X -- the most stable release in all of 7.X would be indeed 7.2.4; If you are utilizing SmartStore(s2), then the .2 (184.108.40.206) patch is recommended as well.
Our Sales Engineer said -
That’s a really generic complaint. I’d need bug tracker numbers (usually SPL-XXXXXX) to find out.
Actually, I THINK I managed to find it. It was addressed by 7.1.4 and 7.2.0. You’re fine.
My bugs were SPL-162166 and SPL-162548 (fixed in 7.2.4) and SPL-156444 which I think was patched out in 7.1.4 (although it escaped the release notes)
They are in 'fixed' issues - not 'known' https://docs.splunk.com/Documentation/Splunk/7.2.4/ReleaseNotes/Fixedissues
2019-01-16 SPL-162166, SPL-162548 splunkd: /opt/splunk/src/search/processors/lookup/IndexedCsvDataProvider.cpp:165: virtual void IndexedCsvDataProvider::lookupBatch(UnpackedResults&, const SearchResultsInfo&, const LookupDefinition&): Assertion `!parseonly' failed.
Although I have no idea what any of that means, and they were my bugs 🙂
From Support -
It is in the known issues page for 7.2.0
and for the SPL mentioned in the email prior to your last (SPL-156444):
From the Sales Engineer -
SPL-162166 only affects 7.2.x branches, 7.1.6 will be unaffected.
SPL-162548 only affects 7.2.x branches. 7.1.6 will be unaffected.
If 7.2.4 is not palatable, 7.1.6 looks like a solid release. Of course, extensive testing for your usecases is important with any deployment. Please let us know if you encounter unexpected issues.
SPL-162166, SPL-162548 gives this lovely search to find the largest lookups and in our environment, naturally the largest ones are ITSI's -
index=_* sourcetype=audittrail path=*lookups* size=* | stats max(size) AS size BY host, path | append [| rest services/server/introspection/kvstore/collectionstats | mvexpand data | table splunk_server title data | spath input=data | fields splunk_server size ns ] | eval host=coalesce(host,splunk_server) | fields host path ns size | sort size