Splunk® Enterprise

Admin Manual

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

About the app key value store

The app key value store (or KV store) provides a way to save and retrieve data within your Splunk apps, thereby letting you manage and maintain the state of the application.

Here are some ways that Splunk apps might use the KV Store:

  • Tracking workflow in an incident-review system that moves an issue from one user to another.
  • Keeping a list of environment assets provided by users.
  • Controlling a job queue.
  • Managing a UI session by storing the user or application state as the user interacts with the app.
  • Storing user metadata.
  • Caching results from search queries by Splunk or an external data store.
  • Storing checkpoint data for modular inputs.

For information on using the KV store, see app key value store documentation for Splunk app developers.

How KV store works with your deployment

The KV store stores your data as key-value pairs in collections. Here are the main concepts:

  • Collections are the containers for your data, similar to a database table. Collections exist within the context of a given app.
  • Records contain each entry of your data, similar to a row in a database table.
  • Fields correspond to key names, similar to the columns in a database table. Fields contain the values of your data as a JSON file. Although it is not required, you can enforce data types (number, boolean, time, and string) for field values.
  • _key is a reserved field that contains the unique ID for each record. If you don't explicitly specify the _key value, the app auto-generates one.
  • _user is a reserved field that contains the user ID for each record. This field cannot be overridden.
  • Accelerations improve search performance by making searches that contain accelerated fields return faster. Accelerations store a small portion of the collection's data set in an easy-to-traverse form.

The KV store files reside on search heads.

In a search head cluster, if any node receives a write, the KV store delegates the write to the KV store captain. The KV store keeps the reads local, however.

System requirements

KV store is available and supported on all Splunk Enterprise 64-bit builds. It is not available on 32-bit Splunk Enterprise builds. KV store is also not available on universal forwarders. See the Splunk Enterprise system requirements.

KV store uses port 8191 by default. You can change the port number in server.conf's [kvstore] stanza. For information about other ports that Splunk Enterprise uses, see "System requirements and other deployment considerations for search head clusters" in the Distributed Search Manual.

For information about other configurations that you can change in KV store, see the "KV store configuration" section in server.conf.spec.

About Splunk FIPS

To use FIPS with KV store, see the "KV store configuration" section in server.conf.spec.

If Splunk FIPS is not enabled, those settings will be ignored.

If you enable FIPS but do not provide the required settings (caCertFile, sslKeysPath, and sslKeysPassword), KV store does not run. Look for error messages in splunkd.log and on the console that executes splunk start.

Determine whether your apps use KV store

KV store is enabled by default on Splunk Enterprise 6.2+.

Apps that use the KV store typically have collections.conf defined in $SPLUNK_HOME/etc/apps/<app name>/default. In addition, transforms.conf will have references to the collections with external_type = kvstore

Use the KV store

To use the KV store:

  1. Create a collection and optionally define a list of fields with data types using configuration files or the REST API.
  2. Perform create-read-update-delete (CRUD) operations using search lookup commands and the Splunk REST API.
  3. Manage collections using the REST API.

Monitor the KV store on your Splunk Enterprise deployment

You can monitor your KV store performance through two views in the monitoring console. One view provides insight across your entire deployment. The other provides detailed information about KV store operations on each search head. See KV store dashboards in Monitoring Splunk Enterprise.

Disable the KV store

KV store is enabled by default. You can disable the KV store on indexers and forwarders, and on any installation that does not have any local apps or local lookups that use the KV store.

To disable the KV store, open the local server.conf file and edit the following stanza:

[kvstore]
disabled=true

You can disable the KV store on an instance while it is running if you don't have any additional collections.conf files beyond the following list of default files:

  • $SPLUNK_HOME/etc/system/default/collections.conf
  • $SPLUNK_HOME/etc/apps/splunk_secure_gateway/default/collections.conf
  • $SPLUNK_HOME/etc/apps/splunk_instrumentation/default/collections.conf
  • $SPLUNK_HOME/etc/apps/python_upgrade_readiness_app/default/collections.conf
  • $SPLUNK_HOME/etc/apps/splunk-dashboard-studio/default/collections.conf
Last modified on 01 November, 2023
Troubleshoot the license usage report view   Resync the KV store

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters