Knowledge Management

Where does KVStore reside on the Splunk Architecture Stack?

djfang
Explorer

Hi,

I want to confirm where the KVStore reside on the Splunk Architecture stack. I know that there's a related MongoDB process along with Splunk and therefore was wondering if it's part of the Splunk Core or does it reside as a separate process behind the REST API layer.

The link to the reference Splunk Architecture diagram I was referring to is: Splunk Architecture
https://docs.splunk.com/File:Architecture-new.png

Any insight into this would be greatly appreciated as I was unable to find much documentation on this.

Cheers,
DJ

Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

You are correct, in that its a separate mongodb process which is installed and managed as part of the core software deployment.
Its installed on every type of Splunk installation (except Universal Forwarders), and whilst ostensibly it is just mongodb, access to it is brokered via the restAPI (not to say that you cant poke it directly, if you wish - but unsupported).

One of its purpose is to store and access data during searches and it can be used as a more efficient lookup repository than large CSVs. etc.
Some Splunk apps also use the KV store to hold configuration and parameters etc via the rest API.

Anticipating a reasonable follow up question: "can I move it, or use a separate mongo instance?" - I don't believe so.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

You are correct, in that its a separate mongodb process which is installed and managed as part of the core software deployment.
Its installed on every type of Splunk installation (except Universal Forwarders), and whilst ostensibly it is just mongodb, access to it is brokered via the restAPI (not to say that you cant poke it directly, if you wish - but unsupported).

One of its purpose is to store and access data during searches and it can be used as a more efficient lookup repository than large CSVs. etc.
Some Splunk apps also use the KV store to hold configuration and parameters etc via the rest API.

Anticipating a reasonable follow up question: "can I move it, or use a separate mongo instance?" - I don't believe so.

If my comment helps, please give it a thumbs up!

djfang
Explorer

Hi nickhillscpl,

Thanks for your reply. Understanding that poking directly at the Mongo is unsupported, by any chance you know ways of starting off attempting to do so? I mainly want to measure the performance difference between accessing it directly versus via REST API since there is a concern of KV store performance when scaled to 1 million + records.

0 Karma

nickhills
Ultra Champion

When Splunk starts the mongod process, it does so with the parameter enableLocalhostAuthBypass=0 meaning users must authenticate, even on the local system.
It also runs with --key-file=path which contains authentication details.

My understanding is that you should be able to use the keyfile to authenticate against the service directly.

If my comment helps, please give it a thumbs up!
0 Karma

djfang
Explorer

Great, thanks for the pointers, will try it out. Thanks!

0 Karma

mayurr98
Super Champion

hey

A user-defined entity that enriches the existing data in Splunk Enterprise. You can use knowledge objects to get specific information about your data. When you create a knowledge object, you can keep it private or you can share it with other users.

Knowledge managers manage how their organizations use knowledge objects in their Splunk Enterprise deployments. Splunk Enterprise knowledge objects include saved searches, event types, tags, field extractions, lookups, reports, alerts, data models, transactions, workflow actions, and fields.

It comes under knowledge of this image https://docs.splunk.com/File:Architecture-new.png
You can look for lookups in this link
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/WhatisSplunkknowledge
https://docs.splunk.com/Splexicon:Knowledgeobject

I hope this helps you!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...