Splunk Enterprise Security

Can you convert identities_expanded to a KVStore?

stevenbutterwor
Path Finder

We are using Splunk ES version 5.2. The size of the indentities_expanded CSV file is over 350MB and is causing issues with the search bundle replication. Can this lookup be changed to a kvstore instead? I did try and convert it but it reverts back to a file based lookup automatically?

Labels (2)
0 Karma

lkutch_splunk
Splunk Employee
Splunk Employee

In 6.0 there's a new behavior that sounds like what you're looking for:
"Leverage KV store as a new interface for Assets and Identities. Allow for extensible fields in the Assets and Identities table definition, as well as enhance scalability/performance so that customers with very large, csv-based lookup files can easily administer their ES environments with fewer bundle replication related issues."

https://docs.splunk.com/Documentation/ES/6.0.0/RN/Enhancements
(However, 6.1.1 is the latest release and 6.2.0 is just around the corner, so check em all before you decide on an upgrade path 🙂 )

stevenbutterwor
Path Finder

Yeah i was aware of that but wondered if there is a work around. I don't think it's supported to be honest

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...