Splunk Search

What are the benefits of the KV store vs a traditional lookup table in Splunk 6.2?

responsys_cm
Builder

I've been reading over the 6.2 documentation for the KV store and I'm not entirely clear on what the benefits are compared to a traditional lookup table.

Can somebody give some examples where a KV store implementation would be a better choice than a lookup table?

For example, one of the ways the docs say it would be useful is as a job queue. Other than automatically generating a unique key for each entry in the queue, what does it do for me? If my lookup tables normally live on the search head, does the KV store let me push that work to the indexers? Are there benefits for clustering?

Thx.

Craig

Tags (3)
1 Solution

skylasam_splunk
Splunk Employee
Splunk Employee

Please take a look at the documentation here - http://dev.splunk.com/view/SP-CAAAEY7 ; specifically the table that discusses pros / cons of KV store vS CSV lookups.

View solution in original post

jlin
Splunk Employee
Splunk Employee

Perhaps the most apparent benefit from using KV store vs. CSV is that the ability to insert/update. CSV's append only allows you to attach to the end, which does not update existing entries.

bfernandez
Communicator

I understand that another key benefit is the acceleration. Has anyone done any comparative performance test?

skylasam_splunk
Splunk Employee
Splunk Employee

Please take a look at the documentation here - http://dev.splunk.com/view/SP-CAAAEY7 ; specifically the table that discusses pros / cons of KV store vS CSV lookups.

skylasam_splunk
Splunk Employee
Splunk Employee

When we talk about automatic lookups, we're referencing the capability described here - http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Usefieldlookupstoaddinformationtoyoureve...
This automatic lookup capability is not supported by KV store.

Regarding the question around the "restricting lookups to running on the search head tier" - This is intended to call out the fact that any KV store lookup will need to occur on a Search head; i.e all SPL commands on a search string occuring after a KV store lookup will need to be run on the search head.

0 Karma

responsys_cm
Builder

Are you sure that document is entirely accurate? The "cons" for KV store say it doesn't support automatic lookups. This page says differently: http://dev.splunk.com/view/SP-CAAAEZH

What are the implications for "restricting lookups to running on the search head tier"? We have a single cluster and every lookup file I create ends up on the search head. If I understand correctly, I might be able to improve performance on large lookup tables by replicating them to the indexers...? Never really understood what that was all about.

But it would seem that if you are going to deploy a search head cluster and you want a single search on a single search head to create a lookup that is accessible to the entire cluster, the KV store is the way to go... Am I right?

Thx.

C

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...