Manage state with the App Key Value Store

The App Key Value Store (or simply, KV Store) feature of Splunk Enterprise provides a way to save and retrieve data within your Splunk apps, thereby enabling you to manage and maintain the state of the application.

The KV Store lets you:

  • Perform Create-Read-Update-Delete (CRUD) operations on individual records using the Splunk REST API and lookups using the Splunk search language.
  • Define a set of typed fields for your data.
  • Apply role-based access to control which users are allowed to access and manage data.
  • Access key-value data across your search head cluster.
  • Perform distributed search-based lookups on the index tier (replication must first be enabled per collection).
  • Perform automatic lookups (replication must first be enabled per collection).
  • Back up and restore data.

Scenarios

Here are some examples that show how Splunk apps might use the KV Store:

  • Tracking workflow in an incident-review system that moves an issue from one user to another.
  • Keeping a list of environment assets provided by users.
  • Controlling a job queue.
  • Managing a UI session by storing the user or application state as the user interacts with the app.
  • Storing user metadata.
  • Caching results from search queries by Splunk or an external data store.
  • Storing checkpoint data for modular inputs.

The KV Store vs. CSV files

The KV Store adds a new lookup type to use with your apps: "kvstore". Before the KV Store feature was added, you might have used CSV-based lookups to augment data within your apps. Consider the following tradeoffs to decide which of your scenarios are better suited to use the KV Store or CSV-based lookups.

ProsCons
KV Store
  • Enables per-record insert/updates ("upserts").
  • Allows optional data type enforcement on write operations.
  • Allows you to define field accelerations to improve search performance.
  • Provides REST API access to the data collection.
Does not support case-insensitive field lookups.
CSV
  • Performs well for files that are small or rarely modified.
  • CSV files are easier to modify manually.
  • Integrating with other applications such as Microsoft Excel is easier because CSV is a standard format.
  • Supports case-sensitive field lookups.
  • Requires a full rewrite of a file for edit operations.
  • Does not support REST API access.

Therefore, depending on your use cases:

  • The KV Store is designed for large collections, and is the easiest way to develop an application that uses key-value data.
  • The KV Store is a good solution when data requires user interaction using the REST interface and when you have a frequently-changing data set.
  • A CSV-based lookup is a good solution when the data set is small or changes infrequently, and when distributed search is required.

Using the KV Store (for app developers)

For a walkthrough of how to use the KV Store, see the Tutorial: Use KV Store with a simple app.

For details about adding App Key Value Store features to an app, see the following topics:


Using the KV Store (for administrators)

For details about administering the App Key Value Store in Splunk Enterprise, see the following topics: