Deployment Architecture
Highlighted

Data-models on a distributed search - Accelerate or don't Accelerate on the search head?

Motivator

Hi

What is the correct way to have datamodels for a distributed search?

I have one search head and 2 indexers (Non clustered) distributed search.
I have installed my app on search heads and indexers, with datamodels. On the indexers i can see the datamodels accelerated and they have a size, this makes sence and the data comes into the indexers->indexs and it is accelerated.

I also have datamodels on my searchhead - should they be accelerated (If so they take 0 kbs) When i run On my search head

| tstats summariesonly=true

I get no results displayed, as the local datamodel is accelerated, but empty. So how do i get it to look at the indexers?
0.00 dispatch.stream.remote 142 - 904,298
0.00 dispatch.stream.remote.dell425srv5000 67 - 427,241
0.00 dispatch.stream.remote.hp4000
5000 75 - 477,057

If i run below i get answers, but it is slow and not fast

| tstats summariesonly=false

I can see data from the indexers (But with false, it is slow, i need | tstats summariesonly=true => accelerated)
13.81 dispatch.stream.remote 508 - 4,215,762
6.92 dispatch.stream.remote.hp40005000 227 - 1,908,312
6.90 dispatch.stream.remote.dell425srv
5000 281 - 2,307,450

So - what is the correct way to have datamodels for a distributed search?

Cheers
Robbie

0 Karma
Highlighted

Re: Data-models on a distributed search - Accelerate or don't Accelerate on the search head?

Esteemed Legend

Are your Indexers peered to more than 1 Search Head (maybe not yours, but somebody else at your company)? I ask because it is the Search Head that causes an Indexer (tier) to perform Data Model Accelerations and if you see that these exist on your Indexer, they most have been requested by a Search Head somewhere. Yes, this does mean that if 2 non-clustered Search Heads have the same Data Model Accelerated, the Indexer tier will contain TWO identical DMAs. That is a bummer but right now, that is the way that it is. So you should go ahead and enable the Data Model Acceleration on your Search Head and not worry about what those other files are on the Indexers.

0 Karma
Highlighted

Re: Data-models on a distributed search - Accelerate or don't Accelerate on the search head?

Motivator

Hi

Cheers as always for the answer.
My indexers are not peered to more then one search head, I only have one.

Rob 🙂

0 Karma
Highlighted

Re: Data-models on a distributed search - Accelerate or don't Accelerate on the search head?

Path Finder

Based on your description, it sounds like you are logging in to the GUI on the indexer, and enabling the data models there.
The data models should not be accelerated on the indexers themselves. You should only enable acceleration on the search heads.
Note that the data will still reside on the indexers, even though they are enabled on the search heads.

It also sounds like acceleration is not enabled on your search head, which is why you do not see any data when using summariesonly=true. Once you enable acceleration on the search heads, you should be able to see data with that option.

If it is already enabled, and you are not seeing data with summaries only, it is possible that the acceleration searches are not running for some reason or the other. Look through the _internal logs and the monitoring console search dashboards, if that is the case.

View solution in original post

0 Karma
Highlighted

Re: Data-models on a distributed search - Accelerate or don't Accelerate on the search head?

Motivator

Hi

Thanks for the answer and the explanation.
I was logging into the indexer and turning on the datamodels. So i wont do this from now on
What you said sounds correct.

Rob

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.