All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to manage DataModel acceleration storage (tstatsHomePath) ?

ruiaires
Path Finder
‎05-16-2014 07:28 AM

Is there a way to manage the storage limits on the tstatsHomePath for an index that is using Data Model acceleration ?

I've installed the latest version of the Splunk for PaloAlto Networks that uses Splunk 6 DataModels instead of the TSCollect technique (which btw had the same problem) and right now I have 100GB in the datamodel_summary folder (and growing fast).

Reply
1 Solution
Solved! Jump to solution
Solution

btorresgil
Builder
‎05-16-2014 09:11 AM

You can change the limits in the datamodel settings. The default for the Palo Alto Networks app is 1 year of data summarized, but you can adjust it down to months or days using these steps:

  • Goto the Splunk for Palo Alto Networks App
  • In the top right, click "Settings" -> "Data Models"
  • For the "Palo Alto Networks Logs" data model, click "Edit" -> "Edit Acceleration"
  • Change the "Summary Range" from "1 Year" to your desired value.

Note that the dashboards in the app use accelerated data, so this setting defines the timerange available in the dashboards.

View solution in original post

Reply
Solved! Jump to solution

ben_leung
Builder
‎11-11-2015 10:05 AM

The PAN app did not consider larger amounts of data being collected. We have 1 day acceleration and the file system has already surpassed 300GB.

0 Karma
Reply
Solved! Jump to solution
Solution

btorresgil
Builder
‎05-16-2014 09:11 AM

You can change the limits in the datamodel settings. The default for the Palo Alto Networks app is 1 year of data summarized, but you can adjust it down to months or days using these steps:

  • Goto the Splunk for Palo Alto Networks App
  • In the top right, click "Settings" -> "Data Models"
  • For the "Palo Alto Networks Logs" data model, click "Edit" -> "Edit Acceleration"
  • Change the "Summary Range" from "1 Year" to your desired value.

Note that the dashboards in the app use accelerated data, so this setting defines the timerange available in the dashboards.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...