Splunk Enterprise

help on kv store performances vs lookup

jip31
Builder

hello

In the example below, "fo_all" is a KV Store

In this KV, I identify the HOSTNAME corresponding to my where condition and I cross the results with my macro

    [| inputlookup fo_all where TYPE="IndPC" (DOMAIN=I OR DOMAIN=IN OR DOMAIN=AW) (CATEGORY = "LAPTOP" OR CATEGORY ="TABLET" OR CATEGORY ="DESKTOP") (STATUS = "Production") | rename HOSTNAME as host ] `diskspace`

 What is better for performances : doing a query directly from the KV store or doing a scheduled search from the KV Store in order to generate a lookup?

    [| inputlookup ind.csv ] `diskspace`

 

Thanks

 

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try both ways and use the Job Inspector to see which performs better.

On the surface, using a lookup (kvstores are lookups) to generate a lookup seems redundant.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try both ways and use the Job Inspector to see which performs better.

On the surface, using a lookup (kvstores are lookups) to generate a lookup seems redundant.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

jip31
Builder

Hi

Not really redundant because in my lookup, the search result is already stored

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!