Splunk Enterprise Security

Data model acceleration not sticking

MKozanic
Path Finder

Hi All,

I'm not that familiar with DMA as I have not had any exposure really to setting up data models so far but am currently having an issue atm with DMA not saying active.

We had to disabled DMA on all ES data models where it was enabled due to an incident recently.  Now that the issues have been resolved, we need to re-enable DMA.

I have attempted to do this by following the below steps: 
1. Go to the ES app
2. Click "Configure" -> "CIM Setup"
3. Check the checkbox next to the "Accelerate" then change the Summary Range to 7 days (- 7 days), then click Save.
4. To verify , click "Configure" -> "Content" -> "Content Management".
5. Filter the type to "Data Model"
6. Check the lightning icon next in the row of the data model if is coloured "yellow".

This looked like it was working for a while, but after checking on it after a few hrs - all DMA had been disabled again.

Not sure why DMA will not stay enabled - have checked settings, nothing obvious as to why this would be happening.

Anyone else out there had this issue or got some idea on something I can check as to why this would be happening?

0 Karma
1 Solution

MKozanic
Path Finder

Thanks @richgalloway , 

While your advise was reverse to what I needed to do, it was correct.

In my case I needed to set acceleration enforcement = True for the models I was trying to enable.

However, due to a known issue version 6.0 (which we are on), I was not able to do this via the GUI and needed to run curl command to update via rest.

curl -ku admin https://<ServerAddress>:8089/servicesNS/nobody/SplunkEnterpriseSecuritySuite/data/inputs/dm_accel_settings/<dataModelName> --data "acceleration=true&manual_rebuilds=true&output_mode=json"

View solution in original post

0 Karma

MKozanic
Path Finder

I have tried to enforce acceleration on one model but am getting an error message: 

MKozanic_1-1627422727057.png

 

I just read this is a known bug with ES 6.0 (we are on 6.0.2) so assuming I will need to look at a work around to get this working.

 

0 Karma

MKozanic
Path Finder

Hi @richgalloway ,

Looking at the setting again, I noticed that enforcement is set to false - just wondering if this needs to be updated to True?

MKozanic_0-1627421810499.png

Would this be the cause of it turning off once after it has been running for a while?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Check the DMA Enforcement settings at Settings->Data Inputs->Datamodel Acceleration Enforcement.  Turn off enforcement for each DMA you wish to disable.  Then go back to the CIM Setup page to turn off the DMA.

---
If this reply helps you, Karma would be appreciated.

MKozanic
Path Finder

Thanks @richgalloway , 

While your advise was reverse to what I needed to do, it was correct.

In my case I needed to set acceleration enforcement = True for the models I was trying to enable.

However, due to a known issue version 6.0 (which we are on), I was not able to do this via the GUI and needed to run curl command to update via rest.

curl -ku admin https://<ServerAddress>:8089/servicesNS/nobody/SplunkEnterpriseSecuritySuite/data/inputs/dm_accel_settings/<dataModelName> --data "acceleration=true&manual_rebuilds=true&output_mode=json"

0 Karma

MKozanic
Path Finder

Hi @richgalloway

Thanks for the response, only we want to enable DMA - not disable.

I did check under DMA Enforcement settings at Settings->Data Inputs->Datamodel Acceleration Enforcement, but all looked OK as best I could see.

Will get some screen shots today and add to post

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...