Monitoring Splunk

Where can I disable kvstore?

mikefg
Communicator

Running 9.0.x now, and I'm getting messages about kvstore issues on indexers, etc. I understand I can disable kvstore on some systems, but not all.

Where do I need it upgraded to wiredTiger and where can I disable it?

Search heads - enabled and upgraded to wiredTiger
Enterprise security search head - enabled and upgraded to wiredTiger
Cluster master - mmapv1
Indexers - mmapv1
Deployment server - mmapv1
Heavy forwarders - enabled and upgraded to wiredTiger

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I would enable KVStore on search heads and disable it everywhere else.  HFs are not search heads and don't need KVStore unless you have an app that specifically calls for it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @mikefg 

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mikefg ,

as @richgalloway said, it's a best practice to disable KV-Store in all Splunk servers except Search Heads to use the resources for other purposes,

even if, there are some Add-Ons, that must be installed on HFs or IDXs, that disabling KV-Store will give you error messages because they use KV-Store .

Anyway, you can disable KV-Store adding to server.conf the following stanza:

[kvstore]
disabled = true

Ciao.

Giuseppe

isoutamo
SplunkTrust
SplunkTrust

Hi

I don’t remember any other commonly used TA on HFs than the newest DB Connect which are requiring kvstore. Unfortunately that is not clearly said on documentation if I recall right? So without DBX, you should disable kvstore on HF too.

r. Ismo

0 Karma

mikefg
Communicator

Maybe not a common TA or app, but Splunk App for Stream uses kvstore. Found this out recently doing some troubleshooting. So on stream servers make sure in server.conf to set

[kvstore]
disabled = false

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I would enable KVStore on search heads and disable it everywhere else.  HFs are not search heads and don't need KVStore unless you have an app that specifically calls for it.

---
If this reply helps you, Karma would be appreciated.

mikefg
Communicator

Found another app that needs kvstore, but this one is a vendor TA. kvstore was not referenced in any documentation and I only found out after I stopped getting data. Fixed now, just keep an eye out for missing data after disabling kvstore on a HF.

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...