Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I ensure that my upgrade of Splunk Enterprise Security doesn't affect my data model acceleration enforcement settings?

pkeller
Contributor
‎10-29-2018 01:34 PM

Data model acceleration enforcement causing issues with Enterprise Security upgrade

I upgraded ES from 5.0.0 to 5.1.1 today and am concerned about the whole process.

Upgrading ES is simple enough, but when forced to go through the set up, the process of updating helper apps, including Splunk_SA_CIM enables data model accelerations on data models that we don't use. ( It overwrites Splunk_SA_CIM/local/datamodels.conf with all datamodels set to acceleration = true

It seems to break the whole model of "put things in your local directory so they won't be touched during an upgrade"

In addition, we have to go into Settings -> Data Inputs -> Data Model Acceleration Enforcement Settings and manually Disable all 19 items, otherwise it appears that the datamodels.conf file gets rewritten immediately after you make the change.

Is there a better process for ensuring that you don't lose your intended configs after an ES upgrade?
Is there a config file that is associated with "Data Model Acceleration Enforcement Settings" ( I have not been able to find one )

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ccheung_splunk
Splunk Employee
Splunk Employee
‎10-29-2018 02:16 PM

The enforcement is implemented as a modular input which runs periodically, so you will find the config for Data Model Acceleration Enforcement in inputs.conf. ES ships this in the SplunkEnterpriseSecuritySuite app namespace so the default and local config should be found in there.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ccheung_splunk
Splunk Employee
Splunk Employee
‎10-29-2018 02:22 PM

Were the Data Model Acceleration Enforcement Settings still enabled prior to upgrade? It's strange that your local settings are getting overwritten.

0 Karma
Reply
Solved! Jump to solution

pkeller
Contributor
‎10-29-2018 02:32 PM

They were disabled prior to the upgrade. It appears that the upgrade toggled them back on. - Thank you.

0 Karma
Reply
Solved! Jump to solution

ccheung_splunk
Splunk Employee
Splunk Employee
‎10-29-2018 02:52 PM

Okay, so first... the nature of this is tricky. Now, here's what's going on: On upgrade, ES will re-enable the enforcement of Data Model Acceleration settings. So even though it was disabled prior to upgrade, we flip it back on for you. The reason being because it was sort of a safeguard as a number of searches depend on it. Annoying, yes. The proper way to disable acceleration is to uncheck the acceleration box for your Data Model, but leave enforcement enabled. Essentially, we're saying, enforce a value of acceleration=false. This will persist should you upgrade ES again.

0 Karma
Reply
Solved! Jump to solution
Solution

ccheung_splunk
Splunk Employee
Splunk Employee
‎10-29-2018 02:16 PM

The enforcement is implemented as a modular input which runs periodically, so you will find the config for Data Model Acceleration Enforcement in inputs.conf. ES ships this in the SplunkEnterpriseSecuritySuite app namespace so the default and local config should be found in there.

0 Karma
Reply
Solved! Jump to solution

pkeller
Contributor
‎10-29-2018 02:31 PM

Thank you ... I see what you're referring to. - Cheers.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...