TL;DR: In a site with multiple search heads; do I need to configure Data Model Acceleration on each and every search head? IF the answer is yes, then can someone ELI5 how the jobs governing DMA run amongst multiple SH without causing conflicts?
ENVIRONMENT: Search Head Cluster with 3 members; one standalone search head; and 10 indexer peers (no clustering). Our goal was to install the Palo Alto App on all search heads so that we could leverage its dashboards regardless of whether user is on SHC, or on standalone.
ISSUE: Palo Alto app was installed on all search heads specified above. Currently, the data model acceleration is configured on the search head cluster for Palo Alto data models, with 7 day acceleration range. DMA is NOT set on the standalone. Search head cluster members can leverage the Palo Alto dashboards, but the standalone does not populate the dashboards with any data. Maybe I'm chasing a red herring, but the only configuration difference I'm aware of, is DMA not being enabled on the standalone SH. I've confirmed that indexer peers have datamodel_summary folders for the indexes associated with Palo Alto data. No indexing is being done locally on the search heads.
DMAs carry the GUID of the Splunk search head (cluster) that generated it in their name. They cannot be shared amongst each other.
Note that there is only one DMA summary per Search Head Cluster, not one for each cluster member.
DMAs carry the GUID of the Splunk search head (cluster) that generated it in their name. They cannot be shared amongst each other.
Note that there is only one DMA summary per Search Head Cluster, not one for each cluster member.
This answer is no longer accurate as of Splunk 8.0
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
Thank you, but I'm still a bit confused. Per your answer: does that mean the standalone SH is unable to take advantage of the DMA? Maybe all I need to do is enable DMA on the standalone SH, but I'm wary of doing so because 1) I don't know if that would clobber settings for DMA on the SHC and 2) I don't know if that's even the root cause for my issue where the PA dashboards aren't populating
Yes, the DMA is only usable by the search that created it. To take advantage of DMA on the standalone SH, you need to enable the DMA there as well. Since they are separated by the splunk instance GUID (generated on first SH start and stored in $SPLUNK_HOME/etc/instance.cfg), there will be no conflict between the two.
Whether that is the reason for your PA dashboards not populating is something I can't answer, but it is absolutely possible if the underlying searches are using tstats to search against the accelerated DMs.