What is best approach to implement kv store to rep...

MousumiChowdhur · ‎09-29-2017

HI!

I have two search heads in cluster and multiple lookups in Splunk but currently started facing issues of replication of knowledge bundles. After investigation, I have observed that few of the lookups are not getting replicated between the search heads. I have learnt that it's best to use kv store than using lookups but I don't have clear idea of how and when using kv store is best suitable.

Would really appreciate your suggestions and help.
Thanks!

yannK · ‎10-05-2017

To use a kvstore lookup, you need to have already a collection in "collections.conf"
then you can create the lookup in transforms.conf.
The difference is that the list of fields has to be predefined.

see http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ConfigureKVstorelookups

To populate it you can use the API endpoints
or the first time you can populate it using kvstore methods, or use an outputlookup.
example

 | inputlookup myoldcsvlookup | <do some clean up if necessary> | outputlookup mynewkvstorelookupcollection

then you can use the new lookup the same way you were doing.
In a SHcluster situation, it should replicate accros with the kvstore.

niketn · ‎10-01-2017

@MousumiChowdhury, following Splunk Dev site elucidates the steps required for migrating from Lookups to KVStore.

http://dev.splunk.com/view/webframework-developapps/SP-CAAAEZQ

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

harsmarvania57 · ‎09-29-2017

These answers might help you

https://answers.splunk.com/answers/179767/what-are-the-benefits-of-the-kv-store-vs-a-traditi-1.html

https://answers.splunk.com/answers/333540/for-large-lookups-should-i-use-the-kv-store.html

What is best approach to implement kv store to replace using lookups?

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest