Splunk Enterprise Security

How can I ensure that my upgrade of Splunk Enterprise Security doesn't affect my data model acceleration enforcement settings?

pkeller
Contributor

Data model acceleration enforcement causing issues with Enterprise Security upgrade

I upgraded ES from 5.0.0 to 5.1.1 today and am concerned about the whole process.

Upgrading ES is simple enough, but when forced to go through the set up, the process of updating helper apps, including Splunk_SA_CIM enables data model accelerations on data models that we don't use. ( It overwrites Splunk_SA_CIM/local/datamodels.conf with all datamodels set to acceleration = true

It seems to break the whole model of "put things in your local directory so they won't be touched during an upgrade"

In addition, we have to go into Settings -> Data Inputs -> Data Model Acceleration Enforcement Settings and manually Disable all 19 items, otherwise it appears that the datamodels.conf file gets rewritten immediately after you make the change.

Is there a better process for ensuring that you don't lose your intended configs after an ES upgrade?
Is there a config file that is associated with "Data Model Acceleration Enforcement Settings" ( I have not been able to find one )

Thank you

0 Karma
1 Solution

ccheung_splunk
Splunk Employee
Splunk Employee

The enforcement is implemented as a modular input which runs periodically, so you will find the config for Data Model Acceleration Enforcement in inputs.conf. ES ships this in the SplunkEnterpriseSecuritySuite app namespace so the default and local config should be found in there.

View solution in original post

0 Karma

ccheung_splunk
Splunk Employee
Splunk Employee

Were the Data Model Acceleration Enforcement Settings still enabled prior to upgrade? It's strange that your local settings are getting overwritten.

0 Karma

pkeller
Contributor

They were disabled prior to the upgrade. It appears that the upgrade toggled them back on. - Thank you.

0 Karma

ccheung_splunk
Splunk Employee
Splunk Employee

Okay, so first... the nature of this is tricky. Now, here's what's going on: On upgrade, ES will re-enable the enforcement of Data Model Acceleration settings. So even though it was disabled prior to upgrade, we flip it back on for you. The reason being because it was sort of a safeguard as a number of searches depend on it. Annoying, yes. The proper way to disable acceleration is to uncheck the acceleration box for your Data Model, but leave enforcement enabled. Essentially, we're saying, enforce a value of acceleration=false. This will persist should you upgrade ES again.

0 Karma

ccheung_splunk
Splunk Employee
Splunk Employee

The enforcement is implemented as a modular input which runs periodically, so you will find the config for Data Model Acceleration Enforcement in inputs.conf. ES ships this in the SplunkEnterpriseSecuritySuite app namespace so the default and local config should be found in there.

0 Karma

pkeller
Contributor

Thank you ... I see what you're referring to. - Cheers.

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...