Reporting

datamodel acceleration on multiple search heads

OL
Communicator

Hello,

Can you declare a datamodel acceleration on one search head and use the accelerated data from another server?

I have 2 search heads, one used for dashboards/jobs and another one for ad'hoc searches. The problem I see is if I design a datamodel on the first server and accelerate it, I cannot use the benefit of the acceleration from the second server.

Anyone know if there is a way to do that?

Regards,
Olivier

Labels (2)
Tags (2)

bandit
Motivator
0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

By default, data model acceleration summaries reside in a predefined volume titled _splunk_summaries at the following path on each peer.

**$SPLUNK_DB/<index_name>/datamodel_summary/<bucket_id>/<search_head_or_pool_id>/DM_<datamodel_app>_<datamodel_name>**

Here is an example of data Model acceleration when in search Head Pooling and standalone Search head . Below are the GUI’s for splunk instance in Search head pooling.

Master Node: AC39CACC-1568-43C1-B20E-87293C33EB02

Pooled Search Heads
vasseclogsh01 5DF1AF1C-DDBC-46CA-8B8A-ACC5A856F69C
vasseclogsh02 69D3E403-EDF2-4B39-B1C0-9CB4170BFEEC
vasseclogsh03 1EA05635-A4A8-42C8-8B4B-E7E32588EFBD
POOL GUID 2BEE7480-7341-42C0-9D39-BF704DD302CA

Stand Alone Search Head/License Server/Distribution Server
2E1EBBE4-F1E9-4CCE-8CAC-FCAE53400B68

Indexers
vasseclog01 C9AF7157-66D2-4E91-99D8-A75ECF2B61BF
vasseclog02 7148CFFA-438A-436B-87D1-959E58E32541
vasseclog03 1C4CF6CF-8C6C-49B1-A117-836C63B07363
vasseclog04 B19CDDD4-E5C0-4FED-9DDC-586542BB34DE
vasseclog05 19D16429-BEA6-4540-9631-5EB580977C5E


i) I enabled acceleration on one of the Search Head in the Pool for the Sample Data Model Provided by Splunk (datamodel “Splunk's Internal Server Logs – SAMPLE”). When I look at the $SPLUNK_DB stuff for the Sample Splunk data model , the tsidx files are there.

The subdirectory 2BEE7480-7341-42C0-9D39-BF704DD302CA is the GUID of the search head pool. The subdirectory 168_C9AF7157-66D2-4E91-99D8-A75ECF2B61BF is the bucket_id in cluster

$SPLUNk_HOME/ var/lib/splunk/_internaldb/datamodel_summary/168_C9AF7157-66D2-4E91-99D8-A75ECF2B61BF/2BEE7480-7341-42C0-9D39-BF704DD302CA/DM_search_internal_server/
total 338208
-rw-------. 1 splunk splunk 199305844 Jun 19 07:14 1403176092-1403093605-18171596826151904182.tsidx
-rw-------. 1 splunk splunk 146895307 Jun 19 08:25 1403180606-1403031493-18171874432222791250.tsidx
-rw-------. 1 splunk splunk 0 Jun 19 08:25 hot_done
-rw-------. 1 splunk splunk 115252 Jun 19 08:25 metadata.csv

Each of the cluster Peer has similar tsidx files.

Which means every search head in the Pool will be able to search this Data Model using command like

| datamodel internal_server

| datamodel internal_server server search | stats count by host


ii) I enabled acceleration on one Stand Alone Search Head for the Sample Data Model Provided by Splunk (datamodel “Splunk's Internal Server Logs – SAMPLE”). When I look at the $SPLUNK_DB stuff for the Sample Splunk data model , the tsidx files are there.

The subdirectory 2E1EBBE4-F1E9-4CCE-8CAC-FCAE53400B68 is the GUID of the Standalone Search Head. The subdirectory 168_C9AF7157-66D2-4E91-99D8-A75ECF2B61BF is the bucket_id incluster

For example on Peer -- vasseclog01 C9AF7157-66D2-4E91-99D8-A75ECF2B61BF datamodel directory are like below

$SPLUNk_HOME/ var/lib/splunk/_internaldb/datamodel_summary/168_C9AF7157-66D2-4E91-99D8-A75ECF2B61BF/2E1EBBE4-F1E9-4CCE-8CAC-FCAE53400B68 /DM_search_internal_server/
total 338208
-rw-------. 1 splunk splunk 199305844 Jun 19 07:14 1403176092-1403093605-18171596826151904182.tsidx
-rw-------. 1 splunk splunk 146895307 Jun 19 08:25 1403180606-1403031493-18171874432222791250.tsidx
-rw-------. 1 splunk splunk 0 Jun 19 08:25 hot_done
-rw-------. 1 splunk splunk 115252 Jun 19 08:25 metadata.csv

Each of the cluster Peer has similar tsidx files.

So in search Head Pooling, data model acceleration is shared between the Search Head in the Pool.

The Data Model acceleration on the Standalone Search Head can't be shared with another Standalone search Head, each Standalone search head will need to maintain its own acceleration.

ducaandr
Engager

If you are using Search Head Pooling you can take advantage of the acceleration across both of them.

The Acceleration is tied to search head or id from the SHP.

Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...