I was going through the documents on Datamodel Acceleration. Can you please help me in confirming if my understanding below is correct?
tstats
._raw
, yes. For very recent data before acceleration happened or for very old data beyond the acceleration window the datamodel-backed search will by default descend into _raw
to complete the results.tstats
._raw
, yes. For very recent data before acceleration happened or for very old data beyond the acceleration window the datamodel-backed search will by default descend into _raw
to complete the results.It's not going to apply the regexes to the raw data, the values will already have been extracted while the acceleration searches run in the background.
thanks Martin for your help. Accepted your answer.
@martin_mueller. Thank you
Regarding (4) : I meant to ask once the data is in high perfomance store, the extraction is independent of TAs? or during a search, will it still have to go through all TA regex etc?
Yes. Once data is in accelerated DM (DMA), in other words data was added into summary index of a given data model (storing in to DM summary index is called saving into so called High Performace Analytics Store (HPA) from marketing perspective) you do NOT need any TA extraction/parsing capabilities as you already filled the fields with values in some form before indexing/writing into summary index. '
Just a comment.
Storing events into a summary index means that data will get new sourcetype - "stash". This data is not count against Splunk license (its seen as internal data). However, when you save data into a summary index under some custom sourcetype (eg. sourcetyp="mysourcetype") using `collect` command then this data might in theory be parsed by TA that has parsing rules for this custom sourcetype.