Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CSV vs KV store lookup. How large is large?

MonkeyK
Builder
‎01-11-2017 08:04 AM

Documentation comparing CSV and KV store notes that for large lookups, KV Store is preferred over CSV.
http://dev.splunk.com/view/SP-CAAAEY7#kvsvscsv

What is the definition of large? Is it measured in total bytes? Number of records? And in either case how much?
I also have read that up to a point, CSV would be preferred because is gets loaded in memory. What is that point?

0 Karma
Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎01-11-2017 08:19 AM

Hi MonkeyK,

csv lookups are preferred for small tables that change infrequently. Most csv lookups contain no more than 100 rows of data.
KV Store is designed for large key-value data collections that frequently change, for example:

– Tracking workflow state changes (an incident-review system)
– Keeping a list of environment assets assigned to users and their metadata
– Controlling a job queue or application state as the user interacts with the app
KV store can:
– Enable per-record CRUD operations using the lookup commands and the REST API
– Access key-value data seamlessly across search head cluster
– Back up and restore KV Store data
Optionally, KV store can also:
- Allow data type enforcement on write operations
- Perform field accelerations and automatic lookups
- Work with distributed searches on the search peers (indexers)

Hope this helps. Thanks!
Hunter

0 Karma
Reply

MonkeyK
Builder
‎01-11-2017 08:39 AM

Doesn't really help. I was looking for a more quantitative definition of large. But now you have added another undefined term "frequently". How do I evaluate "large" and "frequently"?

Most of what I am seeing are qualitative criteria that have little to do with anything that I know about.

I am interested in understanding the quantitative measures in general, but right now I am evaluating them against a specific use case of creating and maintaining Indicator of Compromise lists. These would be on the order of 100-1000 IP addresses or URLs (separate lists) that would be used once in a local search and then accumulated to a central list that would be used as part of a nightly search/alert. Each day, any indicators older than a set amount of time (say two weeks) would be removed.
I know that I can perform my use case using csv based lookups, but do not know how important it is/will be to consider KV stores.

0 Karma
Reply

MonkeyK
Builder
‎02-02-2017 03:47 PM

as a follow-up, I have built out some csv based lookup tables with several thousand records. No problem in the searches.

0 Karma
Reply

myu_splunk
Splunk Employee
Splunk Employee
‎03-08-2017 02:37 PM

Hi MonkeyK, if you have a lookup table file that is 100MB or larger, I'd consider that a large lookup table file. As far as the CSV vs KV store lookup question goes, KV Store collections live on the search head and are not passed down to indexers. CSV lookups are replicated to the indexers so if your lookup table changes frequently, this could lead to performance problems.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...