...ultiple indexes linked to it. Shall I actually use the default datamodel in CIM, eg datamodel=Authentication with all the indexes in DMZ, ZoneA and ZoneB, or should I make copies of datamodel? S...
Hello, I would like to know the aim of this default constraint : (`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$) action="success" Especially what d...
Hello. I'm a Splunk newbie. There is confusion about setting up datamodel acceleration. According to the official documentation, if thedata in your datamodel is out of date, Splunk will c...
Greetings, I'm finally tackling the topic of datamodels within my organization, and am coming across situations I am needing to solve for. 1. Windows authentication data which has a null values i...
...models, I have a question regarding the storage location and method of accelerated data. If thedata is accelerated, does thedatamodel summary folder store the complete accelerated data or will i...
...ACCELERATE_ I accessed theDataModels page and expanded the CIM Validation (S.o.S) datamodel. The information I got is: "Access Count: 0 - Last Access: -) while size is 750MB and frequently updated. My q...
We are currently using a Splunk Enterprise environment with one search head and one indexer. We enabled datamodel acceleration because the performance of the search became poor as we used the s...
Hi 🙂 i'm new hier and i still don't understand the difference between summary indexing and datamodeling. When should I use each? Or which is the best option for optimizing searches?