All Apps and Add-ons

Large CMDB lookup tables

wweiland
Contributor

How does one handle the large CMDB lookup table (cmdb_ci_list_lookup.csv) that is generated in a large environment. My file reached 844M and caused sync issues as well as filling up the hard drive with old bundles. Any plans to switch this over to the KVStore?

0 Karma
1 Solution

ehaddad_splunk
Splunk Employee
Splunk Employee

Hi,

You might hit the same limitations with KVS if CMDB is quite large. We have introduced a new flag in the latest release to eliminate the need for lookups by requesting the data already enriched from SNow APIs. Please check out the troubleshooting section
http://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Troubleshooting
under: Collect display values directly from the API

View solution in original post

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

this is correct. This part of the doc needs to be updated since the App has that covered as part the latest release 4.0.3. We will get the doc fixed

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

Hi,

You might hit the same limitations with KVS if CMDB is quite large. We have introduced a new flag in the latest release to eliminate the need for lookups by requesting the data already enriched from SNow APIs. Please check out the troubleshooting section
http://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Troubleshooting
under: Collect display values directly from the API

0 Karma

wweiland
Contributor

So it looks like if you are using the Splunk App for ServiceNow then you are out of luck? Any plans to integrate the API calls into the main app?

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

the latest release of the app supports that new format.

0 Karma

wweiland
Contributor

So the below pulled from the website linked above is outdated or am I missing something? If the new app supports the new data API, then all I need to do is disable the searches for the 2 lookup tables and everything should be good and working?

Thanks again,
Todd

Collect display values directly from the API

If you still encounter performance issues after trying all other workarounds, use this more comprehensive alternative. Disable all the saved searches and edit your data collection parameters to collect the display values directly from the API.

Note: This workaround is not compatible with the Splunk App for ServiceNow, which also relies on these saved searches to populate dashboards. The workaround requires editing configuration files, so if you are a Splunk Cloud customer, file a Support ticket for assistance.

On your data collection node, open or create $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/service_now.conf.
Change display_value = false to display_value = all.
Save the file.
On each of your search heads, open or create $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/props.conf.
Follow the instructions provided in the default version of this file under each affected stanza to uncomment a set of FIELDALIAS statements and then comment out a corresponding set of LOOKUP statements.
Save the file.
If they are currently enabled, disable all the saved searches for this add-on in $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/savedsearches.conf
Restart each search head.
Restart your data collection node.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...