Reporting

Data Model Acceleration

payal23
Path Finder

My Splunk architecture is having 8 Searchheads in a cluster and 40 indexers in a cluster.
If i have to accelerate the data models, i have to update datamodels.conf in all the searchheads. So, I am confused like indexer will be storing only at a single path right?I mean no duplicate data will be present?

Also, is it possible to accelerate datamodel in only one Searchhead(part of cluster) ?

0 Karma
1 Solution

tiagofbmm
Influencer

The datamodels accelerated data will reside in your indexers like your raw data. If you want those to be replicated you would need to set summary_replication parameter in the cluster master.

The data acceleration is part of a scheduled job. If you are working with a search head cluster, then the captain decides at each time which member is going to run the job for accelerate data model. So only one search head does the job. If you later open a dashboard in a search head that hadn't done the data model acceleration job or for some reason does not have the data, then it proxies that data from one member that has it.

https://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Clustersandsummaryreplication

View solution in original post

0 Karma

tiagofbmm
Influencer

The datamodels accelerated data will reside in your indexers like your raw data. If you want those to be replicated you would need to set summary_replication parameter in the cluster master.

The data acceleration is part of a scheduled job. If you are working with a search head cluster, then the captain decides at each time which member is going to run the job for accelerate data model. So only one search head does the job. If you later open a dashboard in a search head that hadn't done the data model acceleration job or for some reason does not have the data, then it proxies that data from one member that has it.

https://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Clustersandsummaryreplication

0 Karma

tiagofbmm
Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma

payal23
Path Finder

Is it possible to enable acceleration for only one Searchhead in a SH Cluster?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

It is not. When you have a SHC, all members of the SHC have a GUID that they share. (If you look in server.conf under the SHClustering stanza, you will see this.)

All datamodel acceleration is bound to the GUID, so all searcheads share the accelerated data. In a SHC, there would be no benefit to having just one member hold this.

So, again, the most direct answer is 'no, not possible.'

0 Karma

payal23
Path Finder

Thanks!

Also, if you can clear one more query as I am not able to find any good documentation for the same.

Actually I have enabled acceleration for around 12 DataModels. So after enabling am getting errors like
"Cannot write data to index path because you are low on disk space on partition"
"Configuration error for searchpeer took longer than expectedwhen dispatching a search,typically reflects underlying storage performance issues"
"Indexer Congestion Errors"

So, I want to understand what is the exact problem! and how to fix it.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You need to look at your indexers, under your defined index volume ( default is $splunk_home/var/lib/splunk/ ) and look at free disk space. You should also see a searchpeer name associated to this error message. Thats where you should look.

Additionally, you may be having disk issues in regards to I/o. Make sure you indexers meet the minimum requirements (800 iops) for disk volumes. Otherwise you will see backed up indexing queues and have associated search issues with the peers.

payal23
Path Finder

Thankyou for the details

0 Karma

tiagofbmm
Influencer

I believe the error message is really self explanatory, you are running out of space in your device, confirm that.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...