Reporting

Data Model Acceleration

payal23
Path Finder

My Splunk architecture is having 8 Searchheads in a cluster and 40 indexers in a cluster.
If i have to accelerate the data models, i have to update datamodels.conf in all the searchheads. So, I am confused like indexer will be storing only at a single path right?I mean no duplicate data will be present?

Also, is it possible to accelerate datamodel in only one Searchhead(part of cluster) ?

0 Karma
1 Solution

tiagofbmm
Influencer

The datamodels accelerated data will reside in your indexers like your raw data. If you want those to be replicated you would need to set summary_replication parameter in the cluster master.

The data acceleration is part of a scheduled job. If you are working with a search head cluster, then the captain decides at each time which member is going to run the job for accelerate data model. So only one search head does the job. If you later open a dashboard in a search head that hadn't done the data model acceleration job or for some reason does not have the data, then it proxies that data from one member that has it.

https://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Clustersandsummaryreplication

View solution in original post

0 Karma

tiagofbmm
Influencer

The datamodels accelerated data will reside in your indexers like your raw data. If you want those to be replicated you would need to set summary_replication parameter in the cluster master.

The data acceleration is part of a scheduled job. If you are working with a search head cluster, then the captain decides at each time which member is going to run the job for accelerate data model. So only one search head does the job. If you later open a dashboard in a search head that hadn't done the data model acceleration job or for some reason does not have the data, then it proxies that data from one member that has it.

https://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Clustersandsummaryreplication

0 Karma

tiagofbmm
Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma

payal23
Path Finder

Is it possible to enable acceleration for only one Searchhead in a SH Cluster?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

It is not. When you have a SHC, all members of the SHC have a GUID that they share. (If you look in server.conf under the SHClustering stanza, you will see this.)

All datamodel acceleration is bound to the GUID, so all searcheads share the accelerated data. In a SHC, there would be no benefit to having just one member hold this.

So, again, the most direct answer is 'no, not possible.'

0 Karma

payal23
Path Finder

Thanks!

Also, if you can clear one more query as I am not able to find any good documentation for the same.

Actually I have enabled acceleration for around 12 DataModels. So after enabling am getting errors like
"Cannot write data to index path because you are low on disk space on partition"
"Configuration error for searchpeer took longer than expectedwhen dispatching a search,typically reflects underlying storage performance issues"
"Indexer Congestion Errors"

So, I want to understand what is the exact problem! and how to fix it.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You need to look at your indexers, under your defined index volume ( default is $splunk_home/var/lib/splunk/ ) and look at free disk space. You should also see a searchpeer name associated to this error message. Thats where you should look.

Additionally, you may be having disk issues in regards to I/o. Make sure you indexers meet the minimum requirements (800 iops) for disk volumes. Otherwise you will see backed up indexing queues and have associated search issues with the peers.

payal23
Path Finder

Thankyou for the details

0 Karma

tiagofbmm
Influencer

I believe the error message is really self explanatory, you are running out of space in your device, confirm that.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...