- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is best approach to implement kv store to replace using lookups?
HI!
I have two search heads in cluster and multiple lookups in Splunk but currently started facing issues of replication of knowledge bundles. After investigation, I have observed that few of the lookups are not getting replicated between the search heads. I have learnt that it's best to use kv store than using lookups but I don't have clear idea of how and when using kv store is best suitable.
Would really appreciate your suggestions and help.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To use a kvstore lookup, you need to have already a collection in "collections.conf"
then you can create the lookup in transforms.conf.
The difference is that the list of fields has to be predefined.
see http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ConfigureKVstorelookups
To populate it you can use the API endpoints
or the first time you can populate it using kvstore methods, or use an outputlookup.
example
| inputlookup myoldcsvlookup | <do some clean up if necessary> | outputlookup mynewkvstorelookupcollection
then you can use the new lookup the same way you were doing.
In a SHcluster situation, it should replicate accros with the kvstore.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@MousumiChowdhury, following Splunk Dev site elucidates the steps required for migrating from Lookups to KVStore.
http://dev.splunk.com/view/webframework-developapps/SP-CAAAEZQ
Please try out and confirm.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
