Solved: Is KV Store better than a state CSV file when I ne...

hylam · ‎10-31-2015

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
http://dev.splunk.com/view/SP-CAAAEY7

Is KV store better than state CSV when I need high availability? The scheduled search that updates the state CSV may run anywhere within the Search Head Cluster depending on the scheduler and captain's assignment. Are state CSV files replicated in an SHC?

starcher · ‎11-02-2015

If you send to ouputlookup fronting a csv the cluster will replicate it. But the idea for state is to use KVstore. That is why it was added. KVStore is mongoDB and handles replication on it's own across the cluster members. It also lets you update just the records that need updating more efficiently than doing it with a csv based lookup. http://www.georgestarcher.com/wp-content/uploads/2015/09/conf2015-LookupTalk.pdf

View solution in original post

starcher · ‎11-02-2015

If you send to ouputlookup fronting a csv the cluster will replicate it. But the idea for state is to use KVstore. That is why it was added. KVStore is mongoDB and handles replication on it's own across the cluster members. It also lets you update just the records that need updating more efficiently than doing it with a csv based lookup. http://www.georgestarcher.com/wp-content/uploads/2015/09/conf2015-LookupTalk.pdf

Is KV Store better than a state CSV file when I need high availability in a Search Head Cluster?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!