Reporting

Data model acceleration not working

sarit_s
Communicator

Hello
Im running splunk data model acceleration
And it stopped working.
It is stuck in skipping and nothing happens
With “summariesonly=true” i get no results but if i set it to false i get results
Also, ive created new one event base and its working
The first one was search base
I couldn’t find any errors in the logs
Any suggestions?

Labels (2)
0 Karma
1 Solution

nickhills
Ultra Champion

If you have skipping searches, it would suggest that your searchhead(s) are struggling under search load.
Is this a stand alone SH or a Search Head Cluster?

The reason a small data model might complete is because the search to accelerate it is completing quickly, whereas longer searches are being deferred or skipped.

You need to identify is if this has started "out of the blue" or has been a problem building over time.

Some things you can consider to address the issue.
Easiest (simplest) to hardest (probably)

  • Make sure all your scheduled searches don't all run at once - ie, at 00 minutes every hour. Stagger them throughout the hour if you can. Avoid increments of 5 (00, 05,10 etc) and pick interval mins, (11,13,17) etc
  • Try to run heavy/long searches during otherwise quiet periods - overnight maybe? depends on your env.
  • Reduce the acceleration period - has more impact if you are building DMs from scratch, but shorter accel windows means less data - so shorter accel searches. (be mindful of the impact this has to your users! ES/ITSI!)
  • Add more Search heads (if SHclustered) but only applicable if your search peers are not also overwhelmed
  • Add more Cores to stand alone SHs - as above ^ only if your sure idx peers are not pegged.
  • If the peers are slammed...
  • Add more Search Peers
  • Add more Search Peer cores
  • Add more Search peer Iops

If you get far enough down that list to consider adding more compute/disk, it's probably worth checking that your environment is properly architected before adding resources to solve the problem. A detailed dive into where the bottleneck would be recommended.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

If you have skipping searches, it would suggest that your searchhead(s) are struggling under search load.
Is this a stand alone SH or a Search Head Cluster?

The reason a small data model might complete is because the search to accelerate it is completing quickly, whereas longer searches are being deferred or skipped.

You need to identify is if this has started "out of the blue" or has been a problem building over time.

Some things you can consider to address the issue.
Easiest (simplest) to hardest (probably)

  • Make sure all your scheduled searches don't all run at once - ie, at 00 minutes every hour. Stagger them throughout the hour if you can. Avoid increments of 5 (00, 05,10 etc) and pick interval mins, (11,13,17) etc
  • Try to run heavy/long searches during otherwise quiet periods - overnight maybe? depends on your env.
  • Reduce the acceleration period - has more impact if you are building DMs from scratch, but shorter accel windows means less data - so shorter accel searches. (be mindful of the impact this has to your users! ES/ITSI!)
  • Add more Search heads (if SHclustered) but only applicable if your search peers are not also overwhelmed
  • Add more Cores to stand alone SHs - as above ^ only if your sure idx peers are not pegged.
  • If the peers are slammed...
  • Add more Search Peers
  • Add more Search Peer cores
  • Add more Search peer Iops

If you get far enough down that list to consider adding more compute/disk, it's probably worth checking that your environment is properly architected before adding resources to solve the problem. A detailed dive into where the bottleneck would be recommended.

If my comment helps, please give it a thumbs up!

sarit_s
Communicator

if you can, set your comment as an answer so i will approve it 🙂

0 Karma

sarit_s
Communicator

thank you very much for the detailed answer !
we are running with stand alone SH
we already decided that we want to add at least one more and clustered them but i didn't know that the issue with the data model is related

thanks,

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...