Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to update datamodels on a distributed system

robertlynch2020
Motivator
‎06-10-2019 08:07 AM

Hi
I have one search head and two indexers (Non-Clustered).

So how do I update data models? (E.G new Field, update a field, etc...)
Do I do it on the search head and then have to update the indexer configuration manually or does it happen automatically?
OR is there something else I am missing?

Thanks
Robert

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jnudell_2
Builder
‎06-10-2019 12:12 PM

Hi Robert,

When you make changes to data models, you only need to adjust their settings on the search head that the data model is configured on. If it's accelerated, you would have to first disable acceleration, make your change and the enable acceleration again.

You will not need to make any adjustments on the indexer(s).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jnudell_2
Builder
‎06-10-2019 12:12 PM

Hi Robert,

When you make changes to data models, you only need to adjust their settings on the search head that the data model is configured on. If it's accelerated, you would have to first disable acceleration, make your change and the enable acceleration again.

You will not need to make any adjustments on the indexer(s).

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Motivator
‎06-12-2019 09:05 AM

Thanks for the answer.

So, if i add a new Indexer (Non clustered, search peer). I don't have to install the data models onto that search peer?

0 Karma
Reply
Solved! Jump to solution

jnudell_2
Builder
‎06-12-2019 09:20 AM

No. You don't have to install the data model on any search peers. You only configure it on the search head. If you accelerate the data model, the indexers (search peers) will automatically create the associated accelerated summaries. Nothing needs to be modified on the indexers.

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Motivator
‎06-12-2019 09:23 AM

great thanks, i will try and get back to you

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Motivator
‎10-01-2019 04:20 AM

HI

To come back to you on this question.
We have installed a SH and 4 INDEXERS(Non Clustered). We have installed our app with our indexers=mlc_live and or datamodels.
We have set up the forwarders to send data to the INDEXERS, however the SH is giving us errors saying

"Search peer hp400srv_6000_INDEXER1 has the following message: Received event for unconfigured/disabled/deleted index=mlc_live with source="source::/net/dell429srv/dell429srv1/apps/QCST_RSAT_v3.1.43_SEC1/logs/traces/mxtiming_286120_dell429srv_80849.log" host="host::NICKNAME" sourcetype="sourcetype::MX_TIMING2".

So the INDEXERS dont know about the Index=MLC_LIVE, so 2 questions

How do i set up the indexes on the indexers?

Should i use this
https://docs.splunk.com/Documentation/Splunk/7.3.1/Updating/Aboutdeploymentserver

I am assuming i have to set my forwarders to send data to the 4 indexers

Cheers in advance

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...