Splunk Search

How to manage accelerated datamodels in cluster ?

agoyal
Builder

Hello,

We are planning to migrate single instance splunk installation to clustered deployment (1 MasterNode, 1 Search Head, 2 Indexer). we are using an App with accelerated datamodels.  

As per my understanding we can manage all datamodels from Search Head and datamodel should be accelerated on search head only.

Query 1: Can we deploy our full app with datamodels on indexers as well ? if no then what files need to be avoid deploying to indexers.
when we tried deploying full app on indexers its showing all accelerated datamodels on indexers as well. which I think wrong.

Query 2. Same question but for lookups. we are using many lookups as well. where should we keep all lookups ? (Search head OR indexers)  

Thanks

 

 

 

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Search heads coordinate acceleration of datamodels, but the accelerated data itself is stored on indexers.  You should be able to install your app on both the SH and indexers without a problem.

Lookups are sent from SH to indexers when a search begins.  Usually, this is not a problem, but when the lookup files get large then the search bundle can take too long to transfer and searches fail.  In that case, load the lookup files on the indexers and blacklist them from the search bundle.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!