Data model acceleration enforcement causing issues with Enterprise Security upgrade
I upgraded ES from 5.0.0 to 5.1.1 today and am concerned about the whole process.
Upgrading ES is simple enough, but when forced to go through the set up, the process of updating helper apps, including Splunk_SA_CIM enables data model accelerations on data models that we don't use. ( It overwrites Splunk_SA_CIM/local/datamodels.conf with all datamodels set to acceleration = true
It seems to break the whole model of "put things in your local directory so they won't be touched during an upgrade"
In addition, we have to go into Settings -> Data Inputs -> Data Model Acceleration Enforcement Settings and manually Disable all 19 items, otherwise it appears that the datamodels.conf file gets rewritten immediately after you make the change.
Is there a better process for ensuring that you don't lose your intended configs after an ES upgrade?
Is there a config file that is associated with "Data Model Acceleration Enforcement Settings" ( I have not been able to find one )
Thank you
The enforcement is implemented as a modular input which runs periodically, so you will find the config for Data Model Acceleration Enforcement in inputs.conf. ES ships this in the SplunkEnterpriseSecuritySuite app namespace so the default and local config should be found in there.
Were the Data Model Acceleration Enforcement Settings still enabled prior to upgrade? It's strange that your local settings are getting overwritten.
They were disabled prior to the upgrade. It appears that the upgrade toggled them back on. - Thank you.
Okay, so first... the nature of this is tricky. Now, here's what's going on: On upgrade, ES will re-enable the enforcement of Data Model Acceleration settings. So even though it was disabled prior to upgrade, we flip it back on for you. The reason being because it was sort of a safeguard as a number of searches depend on it. Annoying, yes. The proper way to disable acceleration is to uncheck the acceleration box for your Data Model, but leave enforcement enabled. Essentially, we're saying, enforce a value of acceleration=false. This will persist should you upgrade ES again.
The enforcement is implemented as a modular input which runs periodically, so you will find the config for Data Model Acceleration Enforcement in inputs.conf. ES ships this in the SplunkEnterpriseSecuritySuite app namespace so the default and local config should be found in there.
Thank you ... I see what you're referring to. - Cheers.