About the app key value store

The app key value store (or KV store) provides a way to save and retrieve data within your Splunk apps, thereby letting you manage and maintain the state of the application.

Here are some ways that Splunk apps might use the KV Store:

Tracking workflow in an incident-review system that moves an issue from one user to another.
Keeping a list of environment assets provided by users.
Controlling a job queue.
Managing a UI session by storing the user or application state as the user interacts with the app.
Storing user metadata.
Caching results from search queries by Splunk or an external data store.
Storing checkpoint data for modular inputs.

For information on using the KV store, including how it compares to lookups, see app key value store documentation for Splunk app developers.

How KV store works with your deployment

The KV store stores your data as key-value pairs in collections. Here are the main concepts:

Collections are the containers for your data, similar to a database table. Collections exist within the context of a given app.
Records contain each entry of your data, similar to a row in a database table.
Fields correspond to key names, similar to the columns in a database table. Fields contain the values of your data as a JSON file. Although it is not required, you can enforce data types (number, boolean, time, and string) for field values.
_key is a reserved field that contains the unique ID for each record. If you don't explicitly specify the _key value, the app auto-generates one.
_user is a reserved field that contains the user ID for each record. This field cannot be overridden.
Accelerations improve search performance by making searches that contain accelerated fields return faster. Accelerations store a small portion of the collection's data set in an easy-to-traverse form.

The KV store files reside on search heads.

In a search head cluster, if any node receives a write, the KV store delegates the write to the KV store captain. The KV store keeps the reads local, however.

System requirements

KV store is available and supported on all Splunk Enterprise 64-bit builds. It is not available on 32-bit Splunk Enterprise builds. KV store is also not available on universal forwarders. See the Splunk Enterprise system requirements.

KV store uses port 8191 by default. See "System requirements and other deployment considerations for search head clusters" in the Distributed Search Manual.

Determine whether your apps use KV store

KV store is enabled by default on Splunk Enterprise 6.2+.

Apps that use the KV store typically have collections.conf defined in $SPLUNK_HOME/etc/apps/<app name>/default. In addition, transforms.conf will have references to the collections with external_type = kvstore

Use the KV store

To use the KV store:

1. Create a collection and optionally define a list of fields with data types using configuration files or the REST API.

2. Perform create-read-update-delete (CRUD) operations using search lookup commands and the Splunk REST API.

3. Manage collections using the REST API.

Monitor its effect on your Splunk Enterprise deployment

You can monitor your KV store performance through two views in the distributed management console. One view provides insight across your entire deployment (see "KV store: Deployment" in this manual). The other view gives you information about KV store operations on each search head (see "KV store: Instance").

Back up KV store data

Back up and restore your KV store data using the standard backup and restore tools and procedures used by your organization. To back up KV store data, back up all files in the path that is specified in the dbPath parameter of the [kvstore] stanza in the server.conf file.

For general information about backup strategies in Splunk Enterprise, see "Choose your backup strategy" in the Managing Indexers and Clusters of Indexers manual.

巴特西

splunk中mongodb作用——存用户相关数据如会话、搜索结果等