My Splunk architecture is having 8 Searchheads in a cluster and 40 indexers in a cluster.
If i have to accelerate the data models, i have to update datamodels.conf in all the searchheads. So, I am confused like indexer will be storing only at a single path right?I mean no duplicate data will be present?
Also, is it possible to accelerate datamodel in only one Searchhead(part of cluster) ?
The datamodels accelerated data will reside in your indexers like your raw data. If you want those to be replicated you would need to set summary_replication parameter in the cluster master.
The data acceleration is part of a scheduled job. If you are working with a search head cluster, then the captain decides at each time which member is going to run the job for accelerate data model. So only one search head does the job. If you later open a dashboard in a search head that hadn't done the data model acceleration job or for some reason does not have the data, then it proxies that data from one member that has it.
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
It is not. When you have a SHC, all members of the SHC have a GUID that they share. (If you look in server.conf under the SHClustering stanza, you will see this.)
All datamodel acceleration is bound to the GUID, so all searcheads share the accelerated data. In a SHC, there would be no benefit to having just one member hold this.
So, again, the most direct answer is 'no, not possible.'
Also, if you can clear one more query as I am not able to find any good documentation for the same.
Actually I have enabled acceleration for around 12 DataModels. So after enabling am getting errors like
"Cannot write data to index path because you are low on disk space on partition"
"Configuration error for searchpeer took longer than expectedwhen dispatching a search,typically reflects underlying storage performance issues"
"Indexer Congestion Errors"
So, I want to understand what is the exact problem! and how to fix it.
You need to look at your indexers, under your defined index volume ( default is $splunk_home/var/lib/splunk/ ) and look at free disk space. You should also see a searchpeer name associated to this error message. Thats where you should look.
Additionally, you may be having disk issues in regards to I/o. Make sure you indexers meet the minimum requirements (800 iops) for disk volumes. Otherwise you will see backed up indexing queues and have associated search issues with the peers.