Splunk Enterprise Security

Can you convert identities_expanded to a KVStore?

stevenbutterwor
Path Finder

We are using Splunk ES version 5.2. The size of the indentities_expanded CSV file is over 350MB and is causing issues with the search bundle replication. Can this lookup be changed to a kvstore instead? I did try and convert it but it reverts back to a file based lookup automatically?

Labels (2)
0 Karma

lkutch_splunk
Splunk Employee
Splunk Employee

In 6.0 there's a new behavior that sounds like what you're looking for:
"Leverage KV store as a new interface for Assets and Identities. Allow for extensible fields in the Assets and Identities table definition, as well as enhance scalability/performance so that customers with very large, csv-based lookup files can easily administer their ES environments with fewer bundle replication related issues."

https://docs.splunk.com/Documentation/ES/6.0.0/RN/Enhancements
(However, 6.1.1 is the latest release and 6.2.0 is just around the corner, so check em all before you decide on an upgrade path 🙂 )

stevenbutterwor
Path Finder

Yeah i was aware of that but wondered if there is a work around. I don't think it's supported to be honest

0 Karma
Get Updates on the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...