So the addition of namespace worked @livehybrid but the results were actually fairly hard to work with. For example we really only want to return the header row, the namespace, title, appcontext etc are all rather fiddly.

I think this demonstrates a good attempt to really investigate however and I have the confidence to inform my client.

@NullZero - Splunk Docs are the proof:

• When you are using distributed environment, indexer's knowledge objects will not be used
  • https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.2/knowledge-bundle-repl...
  • https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.2/knowledge-bundle-repl... 
• KVstore are generally not by default replicated to Indexers
• But if replicate=true is set for KVstore lookups then also, the replication happen from Search Head to Indexer in a CSV formatted files inside the knowledge bundle
  • https://splunk.my.site.com/customer/s/article/indexer-name-Could-not-load-lookup-LOOKUP-automatic-lo... 
  • https://splunk.my.site.com/customer/s/article/KV-Store-lookups-occupying-4-5-Gigs-of-bundle-size 

And regarding lets say if you have some data from the past inside KVstore lookups, which might need to recover in the future, you can always re-enable the kvstore and get it back.

I hope this helps!!!

@VatsalJagani - This is not a viable approach for a customer, turn it off in prod, see if someone shouts and then just turn back on and shrug. We need to prove that we have checked it and show that we're operating in the best way possible.

I'm about to try the namespace addition to the REST search, that may well be the fix I was looking for and thanks @livehybrid 

But as @VatsalJagani said - there is no replication of KVstore between SH and indexer layers. True, if the particular collection is set to replicate, _its contents_ get replicated to indexers but they do that by pushing a csv file with a dump of the collection data. There it gets treated like a normal csv-backed lookup.

There is no clustering (and clustering would be required for replication) of KVstores between SH tier and indexer tier. There is not even a clustering of KVstores at indexer tier if they are enabled there - each indexer runs its own 1-member mongo cluster.

@NullZero you mentioned that auditd_host_inventory on the indexers have a number of events, it looks like the default for the collections in the TA-linux_auditd app is for the collections to replicate to the indexers.

# collections.conf
[auditd_host_inventory]
replicate = true

[learnt_posix_identities]
replicate = true

Therefore I am not sure if disabling KV Store on the indexers when this is set on the SHC would cause any issue?

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

I can think of one very border case (actually being a badly engineered environment) when you have an input running on indexer. And that input would use KVstore to store state. I can't tell from the top of my head which add-ons used that but there were ones out there in the wild that would do that. But again - this is a badly engineered environment since you shouldn't run such stuff on an indexer. The right way is to set up a separate HF for this.