Knowledge Management

SPLUNK KVStore slowness

badrinath_itrs
Communicator

In one of our SPLUNK SH Cluster environment, inserting records into KVStore using rest command is taking lot of time
and I am able to post only 20 Records into the collection in one minute.

The splunkd_access.log shows below message and tells that the each KVStore post is taking close to 3-5 secs.

splunkd_access.log output as below.

127.0.0.1 - user [06/Jan/2020:13:56:55.591 +1100] "POST /servicesNS/nobody/test_app/storage/collections/data/TestCollection HTTP/1.1" 201 13 - - - 5889ms

There is nothing suspicious message in mongo logs which tells why the insert is taking lot of time.

Here is the sample script I am using for inserting records into KVStore. I can use the outputlookup command to update records into KVStore but this is to investigate the issue which we are facing in overall slowness of KVStore.

import json
import requests

headers = {
    'Content-Type': 'application/json',
}
with open('test.json') as json_file:
    data = json.load(json_file)
    for p in data['definitions']:
        print p;
        response = requests.post('https://localhost:8089/servicesNS/nobody/test_app/storage/collections/data/TestCollection', headers=headers, verify=False, auth=('user', 'password'),data=json.dumps(p))

I am raising with splunk support in parallel posting here and would like to check if anyone have had these kind of issues in their environment and what steps were taken to figure out what is causing this issue.

Storage IO wait on the mount point is close to 20 ms where SPLUNK is installed.

Labels (1)
0 Karma
1 Solution

badrinath_itrs
Communicator

We were using an LDAP user for authentication and the authentication was taking more time , hence it was slowing the KVStore update using API.

View solution in original post

0 Karma

badrinath_itrs
Communicator

We were using an LDAP user for authentication and the authentication was taking more time , hence it was slowing the KVStore update using API.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...