- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
datamodel acceleration on multiple search heads
Hello,
Can you declare a datamodel acceleration on one search head and use the accelerated data from another server?
I have 2 search heads, one used for dashboards/jobs and another one for ad'hoc searches. The problem I see is if I design a datamodel on the first server and accelerate it, I cannot use the benefit of the acceleration from the second server.
Anyone know if there is a way to do that?
Regards,
Olivier
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default, data model acceleration summaries reside in a predefined volume titled _splunk_summaries at the following path on each peer.
**$SPLUNK_DB/<index_name>/datamodel_summary/<bucket_id>/<search_head_or_pool_id>/DM_<datamodel_app>_<datamodel_name>**
Here is an example of data Model acceleration when in search Head Pooling and standalone Search head . Below are the GUI’s for splunk instance in Search head pooling.
Master Node: AC39CACC-1568-43C1-B20E-87293C33EB02
Pooled Search Heads
vasseclogsh01 5DF1AF1C-DDBC-46CA-8B8A-ACC5A856F69C
vasseclogsh02 69D3E403-EDF2-4B39-B1C0-9CB4170BFEEC
vasseclogsh03 1EA05635-A4A8-42C8-8B4B-E7E32588EFBD
POOL GUID 2BEE7480-7341-42C0-9D39-BF704DD302CA
Stand Alone Search Head/License Server/Distribution Server
2E1EBBE4-F1E9-4CCE-8CAC-FCAE53400B68
Indexers
vasseclog01 C9AF7157-66D2-4E91-99D8-A75ECF2B61BF
vasseclog02 7148CFFA-438A-436B-87D1-959E58E32541
vasseclog03 1C4CF6CF-8C6C-49B1-A117-836C63B07363
vasseclog04 B19CDDD4-E5C0-4FED-9DDC-586542BB34DE
vasseclog05 19D16429-BEA6-4540-9631-5EB580977C5E
i) I enabled acceleration on one of the Search Head in the Pool for the Sample Data Model Provided by Splunk (datamodel “Splunk's Internal Server Logs – SAMPLE”). When I look at the $SPLUNK_DB stuff for the Sample Splunk data model , the tsidx files are there.
The subdirectory 2BEE7480-7341-42C0-9D39-BF704DD302CA is the GUID of the search head pool. The subdirectory 168_C9AF7157-66D2-4E91-99D8-A75ECF2B61BF is the bucket_id in cluster
$SPLUNk_HOME/ var/lib/splunk/_internaldb/datamodel_summary/168_C9AF7157-66D2-4E91-99D8-A75ECF2B61BF/2BEE7480-7341-42C0-9D39-BF704DD302CA/DM_search_internal_server/
total 338208
-rw-------. 1 splunk splunk 199305844 Jun 19 07:14 1403176092-1403093605-18171596826151904182.tsidx
-rw-------. 1 splunk splunk 146895307 Jun 19 08:25 1403180606-1403031493-18171874432222791250.tsidx
-rw-------. 1 splunk splunk 0 Jun 19 08:25 hot_done
-rw-------. 1 splunk splunk 115252 Jun 19 08:25 metadata.csv
Each of the cluster Peer has similar tsidx files.
Which means every search head in the Pool will be able to search this Data Model using command like
| datamodel internal_server
| datamodel internal_server server search | stats count by host
ii) I enabled acceleration on one Stand Alone Search Head for the Sample Data Model Provided by Splunk (datamodel “Splunk's Internal Server Logs – SAMPLE”). When I look at the $SPLUNK_DB stuff for the Sample Splunk data model , the tsidx files are there.
The subdirectory 2E1EBBE4-F1E9-4CCE-8CAC-FCAE53400B68 is the GUID of the Standalone Search Head. The subdirectory 168_C9AF7157-66D2-4E91-99D8-A75ECF2B61BF is the bucket_id incluster
For example on Peer -- vasseclog01 C9AF7157-66D2-4E91-99D8-A75ECF2B61BF datamodel directory are like below
$SPLUNk_HOME/ var/lib/splunk/_internaldb/datamodel_summary/168_C9AF7157-66D2-4E91-99D8-A75ECF2B61BF/2E1EBBE4-F1E9-4CCE-8CAC-FCAE53400B68 /DM_search_internal_server/
total 338208
-rw-------. 1 splunk splunk 199305844 Jun 19 07:14 1403176092-1403093605-18171596826151904182.tsidx
-rw-------. 1 splunk splunk 146895307 Jun 19 08:25 1403180606-1403031493-18171874432222791250.tsidx
-rw-------. 1 splunk splunk 0 Jun 19 08:25 hot_done
-rw-------. 1 splunk splunk 115252 Jun 19 08:25 metadata.csv
Each of the cluster Peer has similar tsidx files.
So in search Head Pooling, data model acceleration is shared between the Search Head in the Pool.
The Data Model acceleration on the Standalone Search Head can't be shared with another Standalone search Head, each Standalone search head will need to maintain its own acceleration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using Search Head Pooling you can take advantage of the acceleration across both of them.
The Acceleration is tied to search head or id from the SHP.