Hi,
I want to confirm where the KVStore reside on the Splunk Architecture stack. I know that there's a related MongoDB process along with Splunk and therefore was wondering if it's part of the Splunk Core or does it reside as a separate process behind the REST API layer.
The link to the reference Splunk Architecture diagram I was referring to is:
https://docs.splunk.com/File:Architecture-new.png
Any insight into this would be greatly appreciated as I was unable to find much documentation on this.
Cheers,
DJ
You are correct, in that its a separate mongodb process which is installed and managed as part of the core software deployment.
Its installed on every type of Splunk installation (except Universal Forwarders), and whilst ostensibly it is just mongodb, access to it is brokered via the restAPI (not to say that you cant poke it directly, if you wish - but unsupported).
One of its purpose is to store and access data during searches and it can be used as a more efficient lookup repository than large CSVs. etc.
Some Splunk apps also use the KV store to hold configuration and parameters etc via the rest API.
Anticipating a reasonable follow up question: "can I move it, or use a separate mongo instance?" - I don't believe so.
You are correct, in that its a separate mongodb process which is installed and managed as part of the core software deployment.
Its installed on every type of Splunk installation (except Universal Forwarders), and whilst ostensibly it is just mongodb, access to it is brokered via the restAPI (not to say that you cant poke it directly, if you wish - but unsupported).
One of its purpose is to store and access data during searches and it can be used as a more efficient lookup repository than large CSVs. etc.
Some Splunk apps also use the KV store to hold configuration and parameters etc via the rest API.
Anticipating a reasonable follow up question: "can I move it, or use a separate mongo instance?" - I don't believe so.
Hi nickhillscpl,
Thanks for your reply. Understanding that poking directly at the Mongo is unsupported, by any chance you know ways of starting off attempting to do so? I mainly want to measure the performance difference between accessing it directly versus via REST API since there is a concern of KV store performance when scaled to 1 million + records.
When Splunk starts the mongod process, it does so with the parameter enableLocalhostAuthBypass=0 meaning users must authenticate, even on the local system.
It also runs with --key-file=path which contains authentication details.
My understanding is that you should be able to use the keyfile to authenticate against the service directly.
Great, thanks for the pointers, will try it out. Thanks!
hey
A user-defined entity that enriches the existing data in Splunk Enterprise. You can use knowledge objects to get specific information about your data. When you create a knowledge object, you can keep it private or you can share it with other users.
Knowledge managers manage how their organizations use knowledge objects in their Splunk Enterprise deployments. Splunk Enterprise knowledge objects include saved searches, event types, tags, field extractions, lookups, reports, alerts, data models, transactions, workflow actions, and fields.
It comes under knowledge
of this image https://docs.splunk.com/File:Architecture-new.png
You can look for lookups in this link
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/WhatisSplunkknowledge
https://docs.splunk.com/Splexicon:Knowledgeobject
I hope this helps you!