- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- How do I stop datamodel accelerations from turning...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an instance where I want to keep data model accelerations disabled but they seem to keep turning back on if I hit the debug/refresh REST endpoint or restart the Splunk instance...
For example, I disable acceleration on all of the data models in the app through the UI, then check the local datamodels.conf file and everything's fine except that I still see those datamodel acceleration searches running on the indexer side. Once I refresh or restart the instance to try to kill off what's still running on the indexers, I see each stanza in local/datamodels.conf revert from acceleration = false to acceleration = true until I disable it again.
What's especially interesting is the remote searches logs from the indexers and the Settings -> Data Models page still show the data model accelerations happening even though I set the below stanza in system/local/datamodels.conf, so I'm really not sure how they are running regardless of whether the values in the app's local/datamodels.conf stay set.
[default]
acceleration = false
Any ideas on how to make these stay turned off so I'm not fighting with them each time I restart the Splunk instance for other reasons?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is this an ES instance? I know it has enforcement enabled for data models, which is where you should make the change in that environment.
Settings -> Data Inputs -> Data Model Acceleration Enforcement
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is this an ES instance? I know it has enforcement enabled for data models, which is where you should make the change in that environment.
Settings -> Data Inputs -> Data Model Acceleration Enforcement
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, that's exactly the type of thing I suspected but didn't know to look for. This happens to be an ES staging instance for testing upgrades before deployment to the search head cluster where the SOC wants to validate using production data, but we don't want the datamodel accelerations running all the time. Disabling those inputs and doing a quick restart seems to have done the trick.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@traxxasbreaker - We've converted that comment to an answer so you can accept it if your issue is handled.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
