Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data model acceleration not sticking

MKozanic
Path Finder
‎07-26-2021 06:14 PM

Hi All,

I'm not that familiar with DMA as I have not had any exposure really to setting up data models so far but am currently having an issue atm with DMA not saying active.

We had to disabled DMA on all ES data models where it was enabled due to an incident recently.  Now that the issues have been resolved, we need to re-enable DMA.

I have attempted to do this by following the below steps: 
1. Go to the ES app
2. Click "Configure" -> "CIM Setup"
3. Check the checkbox next to the "Accelerate" then change the Summary Range to 7 days (- 7 days), then click Save.
4. To verify , click "Configure" -> "Content" -> "Content Management".
5. Filter the type to "Data Model"
6. Check the lightning icon next in the row of the data model if is coloured "yellow".

This looked like it was working for a while, but after checking on it after a few hrs - all DMA had been disabled again.

Not sure why DMA will not stay enabled - have checked settings, nothing obvious as to why this would be happening.

Anyone else out there had this issue or got some idea on something I can check as to why this would be happening?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MKozanic
Path Finder
‎07-30-2021 02:50 AM

Thanks @richgalloway , 

While your advise was reverse to what I needed to do, it was correct.

In my case I needed to set acceleration enforcement = True for the models I was trying to enable.

However, due to a known issue version 6.0 (which we are on), I was not able to do this via the GUI and needed to run curl command to update via rest.

curl -ku admin https://<ServerAddress>:8089/servicesNS/nobody/SplunkEnterpriseSecuritySuite/data/inputs/dm_accel_settings/<dataModelName> --data "acceleration=true&manual_rebuilds=true&output_mode=json"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

MKozanic
Path Finder
‎07-27-2021 02:52 PM

I have tried to enforce acceleration on one model but am getting an error message: 

MKozanic_1-1627422727057.png

 

I just read this is a known bug with ES 6.0 (we are on 6.0.2) so assuming I will need to look at a work around to get this working.

 

0 Karma
Reply
Solved! Jump to solution

MKozanic
Path Finder
‎07-27-2021 02:38 PM

Hi @richgalloway ,

Looking at the setting again, I noticed that enforcement is set to false - just wondering if this needs to be updated to True?

MKozanic_0-1627421810499.png

Would this be the cause of it turning off once after it has been running for a while?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-27-2021 06:32 AM

Check the DMA Enforcement settings at Settings->Data Inputs->Datamodel Acceleration Enforcement.  Turn off enforcement for each DMA you wish to disable.  Then go back to the CIM Setup page to turn off the DMA.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

MKozanic
Path Finder
‎07-30-2021 02:50 AM

Thanks @richgalloway , 

While your advise was reverse to what I needed to do, it was correct.

In my case I needed to set acceleration enforcement = True for the models I was trying to enable.

However, due to a known issue version 6.0 (which we are on), I was not able to do this via the GUI and needed to run curl command to update via rest.

curl -ku admin https://<ServerAddress>:8089/servicesNS/nobody/SplunkEnterpriseSecuritySuite/data/inputs/dm_accel_settings/<dataModelName> --data "acceleration=true&manual_rebuilds=true&output_mode=json"

0 Karma
Reply
Solved! Jump to solution

MKozanic
Path Finder
‎07-27-2021 01:26 PM

Hi @richgalloway

Thanks for the response, only we want to enable DMA - not disable.

I did check under DMA Enforcement settings at Settings->Data Inputs->Datamodel Acceleration Enforcement, but all looked OK as best I could see.

Will get some screen shots today and add to post

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...