Splunk Enterprise Security

How do I stop datamodel accelerations from turning themselves back on?

traxxasbreaker
Communicator

I have an instance where I want to keep data model accelerations disabled but they seem to keep turning back on if I hit the debug/refresh REST endpoint or restart the Splunk instance...

For example, I disable acceleration on all of the data models in the app through the UI, then check the local datamodels.conf file and everything's fine except that I still see those datamodel acceleration searches running on the indexer side. Once I refresh or restart the instance to try to kill off what's still running on the indexers, I see each stanza in local/datamodels.conf revert from acceleration = false to acceleration = true until I disable it again.

What's especially interesting is the remote searches logs from the indexers and the Settings -> Data Models page still show the data model accelerations happening even though I set the below stanza in system/local/datamodels.conf, so I'm really not sure how they are running regardless of whether the values in the app's local/datamodels.conf stay set.

[default]
acceleration = false

Any ideas on how to make these stay turned off so I'm not fighting with them each time I restart the Splunk instance for other reasons?

1 Solution

maciep
Champion

is this an ES instance? I know it has enforcement enabled for data models, which is where you should make the change in that environment.

Settings -> Data Inputs -> Data Model Acceleration Enforcement

View solution in original post

maciep
Champion

is this an ES instance? I know it has enforcement enabled for data models, which is where you should make the change in that environment.

Settings -> Data Inputs -> Data Model Acceleration Enforcement

traxxasbreaker
Communicator

Thank you, that's exactly the type of thing I suspected but didn't know to look for. This happens to be an ES staging instance for testing upgrades before deployment to the search head cluster where the SOC wants to validate using production data, but we don't want the datamodel accelerations running all the time. Disabling those inputs and doing a quick restart seems to have done the trick.

0 Karma

DalJeanis
Legend

@traxxasbreaker - We've converted that comment to an answer so you can accept it if your issue is handled.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...