Splunk Enterprise Security

How to set up shared datamodels

Path Finder

We have a SHC of three members & 1 Enterprise Security. Prior to 8.0 each were running their own datamodels. Now that shared datamodel summaries is possible, I would like to set this up to reduce performance and disk usage but have questions about the exact implementation as the documentation is vague:

I know that in datamodels.conf I need to set acceleration.source_guid but that's it.
My questions are:

  1. Do I set this on the ES?
  2. Do I use /opt/splunk/etc/system/local/datamodels.conf?
  3. What would be the best way to verify the datamodels have been consolidated down to 1 copy? (right now datamodels are an exact copy of eachother)
Labels (1)
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.