Monitoring Splunk

Where can I disable kvstore?

mikefg
Communicator

Running 9.0.x now, and I'm getting messages about kvstore issues on indexers, etc. I understand I can disable kvstore on some systems, but not all.

Where do I need it upgraded to wiredTiger and where can I disable it?

Search heads - enabled and upgraded to wiredTiger
Enterprise security search head - enabled and upgraded to wiredTiger
Cluster master - mmapv1
Indexers - mmapv1
Deployment server - mmapv1
Heavy forwarders - enabled and upgraded to wiredTiger

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I would enable KVStore on search heads and disable it everywhere else.  HFs are not search heads and don't need KVStore unless you have an app that specifically calls for it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mikefg 

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mikefg ,

as @richgalloway said, it's a best practice to disable KV-Store in all Splunk servers except Search Heads to use the resources for other purposes,

even if, there are some Add-Ons, that must be installed on HFs or IDXs, that disabling KV-Store will give you error messages because they use KV-Store .

Anyway, you can disable KV-Store adding to server.conf the following stanza:

[kvstore]
disabled = true

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I don’t remember any other commonly used TA on HFs than the newest DB Connect which are requiring kvstore. Unfortunately that is not clearly said on documentation if I recall right? So without DBX, you should disable kvstore on HF too.

r. Ismo

0 Karma

mikefg
Communicator

Maybe not a common TA or app, but Splunk App for Stream uses kvstore. Found this out recently doing some troubleshooting. So on stream servers make sure in server.conf to set

[kvstore]
disabled = false

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I would enable KVStore on search heads and disable it everywhere else.  HFs are not search heads and don't need KVStore unless you have an app that specifically calls for it.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mikefg
Communicator

Found another app that needs kvstore, but this one is a vendor TA. kvstore was not referenced in any documentation and I only found out after I stopped getting data. Fixed now, just keep an eye out for missing data after disabling kvstore on a HF.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...