Knowledge Management

Where does KVStore reside on the Splunk Architecture Stack?

djfang
Explorer

Hi,

I want to confirm where the KVStore reside on the Splunk Architecture stack. I know that there's a related MongoDB process along with Splunk and therefore was wondering if it's part of the Splunk Core or does it reside as a separate process behind the REST API layer.

The link to the reference Splunk Architecture diagram I was referring to is: Splunk Architecture
https://docs.splunk.com/File:Architecture-new.png

Any insight into this would be greatly appreciated as I was unable to find much documentation on this.

Cheers,
DJ

Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

You are correct, in that its a separate mongodb process which is installed and managed as part of the core software deployment.
Its installed on every type of Splunk installation (except Universal Forwarders), and whilst ostensibly it is just mongodb, access to it is brokered via the restAPI (not to say that you cant poke it directly, if you wish - but unsupported).

One of its purpose is to store and access data during searches and it can be used as a more efficient lookup repository than large CSVs. etc.
Some Splunk apps also use the KV store to hold configuration and parameters etc via the rest API.

Anticipating a reasonable follow up question: "can I move it, or use a separate mongo instance?" - I don't believe so.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

You are correct, in that its a separate mongodb process which is installed and managed as part of the core software deployment.
Its installed on every type of Splunk installation (except Universal Forwarders), and whilst ostensibly it is just mongodb, access to it is brokered via the restAPI (not to say that you cant poke it directly, if you wish - but unsupported).

One of its purpose is to store and access data during searches and it can be used as a more efficient lookup repository than large CSVs. etc.
Some Splunk apps also use the KV store to hold configuration and parameters etc via the rest API.

Anticipating a reasonable follow up question: "can I move it, or use a separate mongo instance?" - I don't believe so.

If my comment helps, please give it a thumbs up!

djfang
Explorer

Hi nickhillscpl,

Thanks for your reply. Understanding that poking directly at the Mongo is unsupported, by any chance you know ways of starting off attempting to do so? I mainly want to measure the performance difference between accessing it directly versus via REST API since there is a concern of KV store performance when scaled to 1 million + records.

0 Karma

nickhills
Ultra Champion

When Splunk starts the mongod process, it does so with the parameter enableLocalhostAuthBypass=0 meaning users must authenticate, even on the local system.
It also runs with --key-file=path which contains authentication details.

My understanding is that you should be able to use the keyfile to authenticate against the service directly.

If my comment helps, please give it a thumbs up!
0 Karma

djfang
Explorer

Great, thanks for the pointers, will try it out. Thanks!

0 Karma

mayurr98
Super Champion

hey

A user-defined entity that enriches the existing data in Splunk Enterprise. You can use knowledge objects to get specific information about your data. When you create a knowledge object, you can keep it private or you can share it with other users.

Knowledge managers manage how their organizations use knowledge objects in their Splunk Enterprise deployments. Splunk Enterprise knowledge objects include saved searches, event types, tags, field extractions, lookups, reports, alerts, data models, transactions, workflow actions, and fields.

It comes under knowledge of this image https://docs.splunk.com/File:Architecture-new.png
You can look for lookups in this link
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/WhatisSplunkknowledge
https://docs.splunk.com/Splexicon:Knowledgeobject

I hope this helps you!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...