Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where can I disable kvstore?

mikefg
Communicator
‎08-29-2023 11:39 AM

Running 9.0.x now, and I'm getting messages about kvstore issues on indexers, etc. I understand I can disable kvstore on some systems, but not all.

Where do I need it upgraded to wiredTiger and where can I disable it?

Search heads - enabled and upgraded to wiredTiger
Enterprise security search head - enabled and upgraded to wiredTiger
Cluster master - mmapv1
Indexers - mmapv1
Deployment server - mmapv1
Heavy forwarders - enabled and upgraded to wiredTiger

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-29-2023 05:13 PM

I would enable KVStore on search heads and disable it everywhere else.  HFs are not search heads and don't need KVStore unless you have an app that specifically calls for it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 02:21 PM

Hi @mikefg 

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-30-2023 01:38 AM

Hi @mikefg ,

as @richgalloway said, it's a best practice to disable KV-Store in all Splunk servers except Search Heads to use the resources for other purposes,

even if, there are some Add-Ons, that must be installed on HFs or IDXs, that disabling KV-Store will give you error messages because they use KV-Store .

Anyway, you can disable KV-Store adding to server.conf the following stanza:

[kvstore]
disabled = true

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-01-2023 12:18 AM

Hi

I don’t remember any other commonly used TA on HFs than the newest DB Connect which are requiring kvstore. Unfortunately that is not clearly said on documentation if I recall right? So without DBX, you should disable kvstore on HF too.

r. Ismo

0 Karma
Reply
Solved! Jump to solution

mikefg
Communicator
‎09-22-2023 07:43 AM

Maybe not a common TA or app, but Splunk App for Stream uses kvstore. Found this out recently doing some troubleshooting. So on stream servers make sure in server.conf to set

[kvstore]
disabled = false

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-29-2023 05:13 PM

I would enable KVStore on search heads and disable it everywhere else.  HFs are not search heads and don't need KVStore unless you have an app that specifically calls for it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mikefg
Communicator
‎09-25-2023 07:34 AM

Found another app that needs kvstore, but this one is a vendor TA. kvstore was not referenced in any documentation and I only found out after I stopped getting data. Fixed now, just keep an eye out for missing data after disabling kvstore on a HF.

Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...