Deployment Architecture

How to update datamodels on a distributed system

robertlynch2020
Influencer

Hi
I have one search head and two indexers (Non-Clustered).

So how do I update data models? (E.G new Field, update a field, etc...)
Do I do it on the search head and then have to update the indexer configuration manually or does it happen automatically?
OR is there something else I am missing?

Thanks
Robert

0 Karma
1 Solution

jnudell_2
Builder

Hi Robert,

When you make changes to data models, you only need to adjust their settings on the search head that the data model is configured on. If it's accelerated, you would have to first disable acceleration, make your change and the enable acceleration again.

You will not need to make any adjustments on the indexer(s).

View solution in original post

0 Karma

jnudell_2
Builder

Hi Robert,

When you make changes to data models, you only need to adjust their settings on the search head that the data model is configured on. If it's accelerated, you would have to first disable acceleration, make your change and the enable acceleration again.

You will not need to make any adjustments on the indexer(s).

0 Karma

robertlynch2020
Influencer

Thanks for the answer.

So, if i add a new Indexer (Non clustered, search peer). I don't have to install the data models onto that search peer?

0 Karma

jnudell_2
Builder

No. You don't have to install the data model on any search peers. You only configure it on the search head. If you accelerate the data model, the indexers (search peers) will automatically create the associated accelerated summaries. Nothing needs to be modified on the indexers.

0 Karma

robertlynch2020
Influencer

great thanks, i will try and get back to you

0 Karma

robertlynch2020
Influencer

HI

To come back to you on this question.
We have installed a SH and 4 INDEXERS(Non Clustered). We have installed our app with our indexers=mlc_live and or datamodels.
We have set up the forwarders to send data to the INDEXERS, however the SH is giving us errors saying

"Search peer hp400srv_6000_INDEXER1 has the following message: Received event for unconfigured/disabled/deleted index=mlc_live with source="source::/net/dell429srv/dell429srv1/apps/QCST_RSAT_v3.1.43_SEC1/logs/traces/mxtiming_286120_dell429srv_80849.log" host="host::NICKNAME" sourcetype="sourcetype::MX_TIMING2".

So the INDEXERS dont know about the Index=MLC_LIVE, so 2 questions

How do i set up the indexes on the indexers?

Should i use this
https://docs.splunk.com/Documentation/Splunk/7.3.1/Updating/Aboutdeploymentserver

I am assuming i have to set my forwarders to send data to the 4 indexers

Cheers in advance

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...