Knowledge Management

KVSTORE main uses

dani9
Explorer

collecting data works the same without kvstore installed?
what is the advantage to install it in an environment splunk?
what it does?

0 Karma

dkolekar_splunk
Splunk Employee
Splunk Employee

About KV Store collections

The KV Store stores your data as key-value pairs in collections. Here are the main concepts:

Collections : are the containers for your data, similar to a database table. Collections exist within the context of a given app.

Records contain each entry of your data, similar to a row in a database table.

Fields correspond to key names, similar to the columns in a database table. Fields contain the values of your data as a JavaScript Object Notation (JSON) document. Although not required, you can enforce data types (number, boolean, time, and string) for field values.

_key is a reserved field that contains the unique ID for each record. If you don't explicitly specify the _key value, the app auto-generates one.

_user is a reserved field that contains the user ID for each record. This field cannot be overridden.
Accelerations improve search performance by making searches that contain accelerated fields to return faster. Accelerations store a small portion of the collection's data set in an easy-to-traverse form.

What does it do?
1. The KV Store adds a new lookup type to use with your apps: "kvstore". Before the KV Store feature was added, you might have used CSV-based lookups to augment data within your apps.
2. The KV Store is designed for large collections and is the easiest way to develop an application that uses key-value data.
3. The KV Store is a good solution when data requires user interaction using the REST interface and when you have a frequently-changing data set.
4. A CSV-based lookup is a good solution when the data set is small or changes infrequently, and when distributed search is required.

Advantages/Pros of KVstore:

  • Enables per-record insert/updates ("upserts").
  • Allows optional data type enforcement on write operations.
  • It allows you to define field accelerations to improve search performance.
  • Provides REST API access to the data collection.

bowesmana
SplunkTrust
SplunkTrust

How does kvstore manage concurrent updates to a single row and if it's undefined, is there any way to protect/lock against this?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...