Deployment Architecture

Data-models on a distributed search - Accelerate or don't Accelerate on the search head?

robertlynch2020
Influencer

Hi

What is the correct way to have datamodels for a distributed search?

I have one search head and 2 indexers (Non clustered) distributed search.
I have installed my app on search heads and indexers, with datamodels. On the indexers i can see the datamodels accelerated and they have a size, this makes sence and the data comes into the indexers->indexs and it is accelerated.

I also have datamodels on my searchhead - should they be accelerated (If so they take 0 kbs) When i run On my search head

| tstats summariesonly=true

I get no results displayed, as the local datamodel is accelerated, but empty. So how do i get it to look at the indexers?
0.00 dispatch.stream.remote 142 - 904,298
0.00 dispatch.stream.remote.dell425srv_5000 67 - 427,241
0.00 dispatch.stream.remote.hp4000_5000 75 - 477,057

If i run below i get answers, but it is slow and not fast

| tstats summariesonly=false

I can see data from the indexers (But with false, it is slow, i need | tstats summariesonly=true => accelerated)
13.81 dispatch.stream.remote 508 - 4,215,762
6.92 dispatch.stream.remote.hp4000_5000 227 - 1,908,312
6.90 dispatch.stream.remote.dell425srv_5000 281 - 2,307,450

So - what is the correct way to have datamodels for a distributed search?

Cheers
Robbie

0 Karma
1 Solution

nvanderwalt_spl
Splunk Employee
Splunk Employee

Based on your description, it sounds like you are logging in to the GUI on the indexer, and enabling the data models there.
The data models should not be accelerated on the indexers themselves. You should only enable acceleration on the search heads.
Note that the data will still reside on the indexers, even though they are enabled on the search heads.

It also sounds like acceleration is not enabled on your search head, which is why you do not see any data when using summariesonly=true. Once you enable acceleration on the search heads, you should be able to see data with that option.

If it is already enabled, and you are not seeing data with summaries only, it is possible that the acceleration searches are not running for some reason or the other. Look through the _internal logs and the monitoring console search dashboards, if that is the case.

View solution in original post

nvanderwalt_spl
Splunk Employee
Splunk Employee

Based on your description, it sounds like you are logging in to the GUI on the indexer, and enabling the data models there.
The data models should not be accelerated on the indexers themselves. You should only enable acceleration on the search heads.
Note that the data will still reside on the indexers, even though they are enabled on the search heads.

It also sounds like acceleration is not enabled on your search head, which is why you do not see any data when using summariesonly=true. Once you enable acceleration on the search heads, you should be able to see data with that option.

If it is already enabled, and you are not seeing data with summaries only, it is possible that the acceleration searches are not running for some reason or the other. Look through the _internal logs and the monitoring console search dashboards, if that is the case.

robertlynch2020
Influencer

Hi

Thanks for the answer and the explanation.
I was logging into the indexer and turning on the datamodels. So i wont do this from now on
What you said sounds correct.

Rob

0 Karma

woodcock
Esteemed Legend

Are your Indexers peered to more than 1 Search Head (maybe not yours, but somebody else at your company)? I ask because it is the Search Head that causes an Indexer (tier) to perform Data Model Accelerations and if you see that these exist on your Indexer, they most have been requested by a Search Head somewhere. Yes, this does mean that if 2 non-clustered Search Heads have the same Data Model Accelerated, the Indexer tier will contain TWO identical DMAs. That is a bummer but right now, that is the way that it is. So you should go ahead and enable the Data Model Acceleration on your Search Head and not worry about what those other files are on the Indexers.

robertlynch2020
Influencer

Hi

Cheers as always for the answer.
My indexers are not peered to more then one search head, I only have one.

Rob 🙂

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...