Can you convert identities_expanded to a KVStore?

stevenbutterwor · ‎06-03-2020

We are using Splunk ES version 5.2. The size of the indentities_expanded CSV file is over 350MB and is causing issues with the search bundle replication. Can this lookup be changed to a kvstore instead? I did try and convert it but it reverts back to a file based lookup automatically?

lkutch_splunk · ‎06-03-2020

In 6.0 there's a new behavior that sounds like what you're looking for:
"Leverage KV store as a new interface for Assets and Identities. Allow for extensible fields in the Assets and Identities table definition, as well as enhance scalability/performance so that customers with very large, csv-based lookup files can easily administer their ES environments with fewer bundle replication related issues."

https://docs.splunk.com/Documentation/ES/6.0.0/RN/Enhancements
(However, 6.1.1 is the latest release and 6.2.0 is just around the corner, so check em all before you decide on an upgrade path 🙂 )

stevenbutterwor · ‎06-03-2020

Yeah i was aware of that but wondered if there is a work around. I don't think it's supported to be honest

Can you convert identities_expanded to a KVStore?

troubleshooting

using Enterprise Security

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...