Splunk Dev

Using Index Summary Instead of a Lookup

cabauah
Path Finder

Hello,

Seeking everyone's expertise. We initially have saved searches (one running after the other) outputting to a lookup table to break processing/memory limit within splunk. It has come to a point though that the lookup has gotten big enough (> 50,000 records) and causing cluster replication issues in the environment.

One option we're looking is to use the index summary. Can a summary index be actually used as some sort of storage of a table instead of to "summarise" results over a period of time? We're only using it to get a snapshot output/table report of events but don't have a need for summary/time fields that are naturally created when saving output in the summary index

Tags (1)
0 Karma

woodcock
Esteemed Legend

Did you try KV Store? What is your status?

0 Karma

woodcock
Esteemed Legend

Use KV Store instead, which is not part of the bundle and scales to large sizes very well.
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ConfigureKVstorelookups

cabauah
Path Finder

@woodcock - is kvstore definitely better? Can you share whitepaper detailing kvstore is better than summary index? Would kvstore have limits/performance implication as that's also one of the struggles hence we're trying to move to a different type of "storage". From my understanding kvstore can have problem with concurrent users accessing same data at the same time

0 Karma

woodcock
Esteemed Legend

KV Store is a mongodb that runs on your Search Head and when the Indexers need to access it, they open a port to the Search Head and read what they need on the fly. So the data is never in the bundle. Huge Bundle sizes because of lookups is one of the main reasons KV Store was created. I have never heard of any problems with concurrent users accessing KV Store. Please post reference to such problems.

0 Karma

cabauah
Path Finder

thanks woodcock one more question? would kvstore be able to get snapshot of results for comparison? ie comparing results from this run to previous run?

0 Karma

woodcock
Esteemed Legend

It can do everything that a file-based lookup can do and more. I do not understand your question but ... "probably?"

0 Karma

somesoni2
Revered Legend

What version of SPlunk are you using? Have you explored KV Store for this? It is designed for large scaled lookup type data. See this link for comparison of the CSV lookup vs KV Store:
http://dev.splunk.com/view/SP-CAAAEY7#kvsvscsv

If you find it suitable (which I think it is) for your need, you can follow this link to start using KV store.
http://dev.splunk.com/view/kvstore/SP-CAAAEZQ

0 Karma

cabauah
Path Finder

version is 6.5 but soon be migrating to 7

0 Karma

cabauah
Path Finder

hello we're using kvstore in other part of the processing. Can you share whitepaper detailing kvstore is better than summary index? Would kvstore have limits/performance implication as that's also one of the struggles hence we're trying to move to a different type of "storage". From my understanding kvstore can have problem with concurrent users accessing same data at the same time?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...