Other Usage

How to best go about Data Model in Search Head Cluster

ankycampy
Explorer

Hi,

We have 3 search heads in a SHC, I am planning to deploy "Splunk_SA_CIM" in my SHC from Deployer.

Question 1- Once the "Splunk_SA_CIM" is deployed in SHC members, and then for example i edit the "cim_Network_Traffic_indexes" macro from Search Head GUI (Search heads are behind LB) and add the firewall index in it and then accelerate the "Network Traffic" DM from GUI, Will this accelerate this DM in all 3 Search Head members and Macro too will be updated in all 3 SH members ?

Question 2 - or should i make above changes in "Splunk_SA_CIM" app under "local" folder in macros.conf and datamodels.conf in deployer and push to SHC ?

Question 3 - What is the correct way to manage/update datamodels config in "Splunk_SA_CIM" app like adding indexes/enabling acceleration/adding removing fields in a Search head cluster which will have Enterprise Security app installed as well in near future?

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @ankycampy,

yes exactly!

this is the same approach that you have using e.g. Enterprise Security.

Infact CIM is a part of it

Tell me if I can help you more, otherwise, please, accept an answer for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @ankycampy,

did you followed all the instruction at https://docs.splunk.com/Documentation/CIM/5.0.0/User/Install ?

Which kind of architetcure have you? ok Search head Cluster, but you have Clustered or Not Clustered  indexers?

Are Your Search Heads configured to send logs to your Indexers?

Ciao.

Giuseppe

0 Karma

ankycampy
Explorer

Hi,

Thanks for response, Yes, we have 3 search members in SHC and 3 indexers in Indexer Cluster.

Search Heads are forwarding their logs to indexers.

Yes, have gone through this https://docs.splunk.com/Documentation/CIM/5.0.0/User/Install  but unable to find how to setup CIM in SHC environment.

I can push CIM app using deployer to SHC, how to configure it (via GUI of SH(SH are behind LB) or configure CIM app in deployer and push to SHC) ?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

After you push the app to SHC, any subsequent modification should be done via GUI. It's not as much a matter of consistency across the search-heads, because that you can achieve in other ways as well, but when you edit the datamodel via GUI, there are additional validating mechanisms which keep you from misconfiguring your datamodels too much. I don't remember exactly where but it's explicitly stated in the docs.

There is however one situation in which you should manually deploy the datamodel configuration - it's when you have more than one search-head or search-head cluster accesing the same indexer(s) independently and you want to share accelerated summaries. But it's a way more advanced topic that you need at the moment I think.

gcusello
SplunkTrust
SplunkTrust

Hi @ankycampy ,

you have to install the App on the SHC using Deployer (you can find all the instructions to do this on the above page).

Then each setup you'll do via GUI (https://docs.splunk.com/Documentation/CIM/5.0.0/User/Setup) on one SH will be replicated on the others by the SHC.

Ciao.

Giuseppe

ankycampy
Explorer

Thanks, So CIM app will be deployed normally using deployer and rest config i will do via GUI and it will be replicated to SHC members.

That means SHC members will have more updated config done via GUI in CIM app then we had in CIM app in deployer originally. SHC members will have the GUI updated config in local folder of the app which won't be affected when in future we may upgrade the CIM app from deployer to SHC.

Hope this understanding is correct ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ankycampy,

yes exactly!

this is the same approach that you have using e.g. Enterprise Security.

Infact CIM is a part of it

Tell me if I can help you more, otherwise, please, accept an answer for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

ankycampy
Explorer

Can anyone help with the above query ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...