Splunk Enterprise Security

How do I stop datamodel accelerations from turning themselves back on?

traxxasbreaker
Communicator

I have an instance where I want to keep data model accelerations disabled but they seem to keep turning back on if I hit the debug/refresh REST endpoint or restart the Splunk instance...

For example, I disable acceleration on all of the data models in the app through the UI, then check the local datamodels.conf file and everything's fine except that I still see those datamodel acceleration searches running on the indexer side. Once I refresh or restart the instance to try to kill off what's still running on the indexers, I see each stanza in local/datamodels.conf revert from acceleration = false to acceleration = true until I disable it again.

What's especially interesting is the remote searches logs from the indexers and the Settings -> Data Models page still show the data model accelerations happening even though I set the below stanza in system/local/datamodels.conf, so I'm really not sure how they are running regardless of whether the values in the app's local/datamodels.conf stay set.

[default]
acceleration = false

Any ideas on how to make these stay turned off so I'm not fighting with them each time I restart the Splunk instance for other reasons?

1 Solution

maciep
Champion

is this an ES instance? I know it has enforcement enabled for data models, which is where you should make the change in that environment.

Settings -> Data Inputs -> Data Model Acceleration Enforcement

View solution in original post

maciep
Champion

is this an ES instance? I know it has enforcement enabled for data models, which is where you should make the change in that environment.

Settings -> Data Inputs -> Data Model Acceleration Enforcement

traxxasbreaker
Communicator

Thank you, that's exactly the type of thing I suspected but didn't know to look for. This happens to be an ES staging instance for testing upgrades before deployment to the search head cluster where the SOC wants to validate using production data, but we don't want the datamodel accelerations running all the time. Disabling those inputs and doing a quick restart seems to have done the trick.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@traxxasbreaker - We've converted that comment to an answer so you can accept it if your issue is handled.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...