I'm running Splunk Enterprise 8.1.2 & its storage engine is 'mmapv1'
And I tested to migrate 'wiredTiger' ... but I'm afraid acceleration cannot work
Belows are steps I've done on test env.
1. I made test splunk env. - just same with my officially operating splunk system
And import some of kvstore collections into test splunk (with same collections.conf & transform.conf)
| [TEST.kvstore] field.date = number field.id = number field.type = string field.version = string accelerated_fields.test = {"id":-1, "date":-1} |
2. On test splunk (with no changes has been made yet - mmap1), everything worked well
I got similar lookup search time than original's
3. And then I changed storage engine to 'wiredTiger'
https://docs.splunk.com/Documentation/Splunk/8.2.9/Admin/MigrateKVstore?ref=hk
This member: backupRestoreStatus : Ready ... port : 8191 replicaSet : DB79F8EF-3560-4A6C-B38E-FF06F1D54661 replicationStatus : KV store captain standalone : 1 status : ready storageEngine : wiredTiger |
4. Finally I checked lookup search time on wiredtiger engine
"But lookup search time took much more than I expected"
ㆍmmapv1 : 52 sec
ㆍwiredtiger : 90 sec
So I checked what's wrong with test splunk and I found 'no kvstore accelerations'
(There it was... but disappeared after migration to wiredtiger)
Before (mmapv1)
After (wiredtiger)
I even tried to import new kvstore collection but also failed (no acceleration was made)
Does wiredtiger supports kvstore acceleration?
If so, which configuration should I use?
