Splunk Enterprise Security

How can I ensure that my upgrade of Splunk Enterprise Security doesn't affect my data model acceleration enforcement settings?

Contributor

Data model acceleration enforcement causing issues with Enterprise Security upgrade

I upgraded ES from 5.0.0 to 5.1.1 today and am concerned about the whole process.

Upgrading ES is simple enough, but when forced to go through the set up, the process of updating helper apps, including SplunkSACIM enables data model accelerations on data models that we don't use. ( It overwrites SplunkSACIM/local/datamodels.conf with all datamodels set to acceleration = true

It seems to break the whole model of "put things in your local directory so they won't be touched during an upgrade"

In addition, we have to go into Settings -> Data Inputs -> Data Model Acceleration Enforcement Settings and manually Disable all 19 items, otherwise it appears that the datamodels.conf file gets rewritten immediately after you make the change.

Is there a better process for ensuring that you don't lose your intended configs after an ES upgrade?
Is there a config file that is associated with "Data Model Acceleration Enforcement Settings" ( I have not been able to find one )

Thank you

0 Karma
1 Solution

Splunk Employee
Splunk Employee

The enforcement is implemented as a modular input which runs periodically, so you will find the config for Data Model Acceleration Enforcement in inputs.conf. ES ships this in the SplunkEnterpriseSecuritySuite app namespace so the default and local config should be found in there.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Were the Data Model Acceleration Enforcement Settings still enabled prior to upgrade? It's strange that your local settings are getting overwritten.

0 Karma

Contributor

They were disabled prior to the upgrade. It appears that the upgrade toggled them back on. - Thank you.

0 Karma

Splunk Employee
Splunk Employee

Okay, so first... the nature of this is tricky. Now, here's what's going on: On upgrade, ES will re-enable the enforcement of Data Model Acceleration settings. So even though it was disabled prior to upgrade, we flip it back on for you. The reason being because it was sort of a safeguard as a number of searches depend on it. Annoying, yes. The proper way to disable acceleration is to uncheck the acceleration box for your Data Model, but leave enforcement enabled. Essentially, we're saying, enforce a value of acceleration=false. This will persist should you upgrade ES again.

0 Karma

Splunk Employee
Splunk Employee

The enforcement is implemented as a modular input which runs periodically, so you will find the config for Data Model Acceleration Enforcement in inputs.conf. ES ships this in the SplunkEnterpriseSecuritySuite app namespace so the default and local config should be found in there.

View solution in original post

0 Karma

Contributor

Thank you ... I see what you're referring to. - Cheers.

0 Karma