Splunk Enterprise Security

How can I ensure that my upgrade of Splunk Enterprise Security doesn't affect my data model acceleration enforcement settings?

pkeller
Contributor

Data model acceleration enforcement causing issues with Enterprise Security upgrade

I upgraded ES from 5.0.0 to 5.1.1 today and am concerned about the whole process.

Upgrading ES is simple enough, but when forced to go through the set up, the process of updating helper apps, including Splunk_SA_CIM enables data model accelerations on data models that we don't use. ( It overwrites Splunk_SA_CIM/local/datamodels.conf with all datamodels set to acceleration = true

It seems to break the whole model of "put things in your local directory so they won't be touched during an upgrade"

In addition, we have to go into Settings -> Data Inputs -> Data Model Acceleration Enforcement Settings and manually Disable all 19 items, otherwise it appears that the datamodels.conf file gets rewritten immediately after you make the change.

Is there a better process for ensuring that you don't lose your intended configs after an ES upgrade?
Is there a config file that is associated with "Data Model Acceleration Enforcement Settings" ( I have not been able to find one )

Thank you

0 Karma
1 Solution

ccheung_splunk
Splunk Employee
Splunk Employee

The enforcement is implemented as a modular input which runs periodically, so you will find the config for Data Model Acceleration Enforcement in inputs.conf. ES ships this in the SplunkEnterpriseSecuritySuite app namespace so the default and local config should be found in there.

View solution in original post

0 Karma

ccheung_splunk
Splunk Employee
Splunk Employee

Were the Data Model Acceleration Enforcement Settings still enabled prior to upgrade? It's strange that your local settings are getting overwritten.

0 Karma

pkeller
Contributor

They were disabled prior to the upgrade. It appears that the upgrade toggled them back on. - Thank you.

0 Karma

ccheung_splunk
Splunk Employee
Splunk Employee

Okay, so first... the nature of this is tricky. Now, here's what's going on: On upgrade, ES will re-enable the enforcement of Data Model Acceleration settings. So even though it was disabled prior to upgrade, we flip it back on for you. The reason being because it was sort of a safeguard as a number of searches depend on it. Annoying, yes. The proper way to disable acceleration is to uncheck the acceleration box for your Data Model, but leave enforcement enabled. Essentially, we're saying, enforce a value of acceleration=false. This will persist should you upgrade ES again.

0 Karma

ccheung_splunk
Splunk Employee
Splunk Employee

The enforcement is implemented as a modular input which runs periodically, so you will find the config for Data Model Acceleration Enforcement in inputs.conf. ES ships this in the SplunkEnterpriseSecuritySuite app namespace so the default and local config should be found in there.

0 Karma

pkeller
Contributor

Thank you ... I see what you're referring to. - Cheers.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...