Deployment Architecture

How to configure Data Model Acceleration when there are multiple search heads

robertl_kinney
Explorer

TL;DR: In a site with multiple search heads; do I need to configure Data Model Acceleration on each and every search head? IF the answer is yes, then can someone ELI5 how the jobs governing DMA run amongst multiple SH without causing conflicts?

ENVIRONMENT: Search Head Cluster with 3 members; one standalone search head; and 10 indexer peers (no clustering). Our goal was to install the Palo Alto App on all search heads so that we could leverage its dashboards regardless of whether user is on SHC, or on standalone.

ISSUE: Palo Alto app was installed on all search heads specified above. Currently, the data model acceleration is configured on the search head cluster for Palo Alto data models, with 7 day acceleration range. DMA is NOT set on the standalone. Search head cluster members can leverage the Palo Alto dashboards, but the standalone does not populate the dashboards with any data. Maybe I'm chasing a red herring, but the only configuration difference I'm aware of, is DMA not being enabled on the standalone SH. I've confirmed that indexer peers have datamodel_summary folders for the indexes associated with Palo Alto data. No indexing is being done locally on the search heads.

1 Solution

s2_splunk
Splunk Employee
Splunk Employee

DMAs carry the GUID of the Splunk search head (cluster) that generated it in their name. They cannot be shared amongst each other.
Note that there is only one DMA summary per Search Head Cluster, not one for each cluster member.

View solution in original post

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

DMAs carry the GUID of the Splunk search head (cluster) that generated it in their name. They cannot be shared amongst each other.
Note that there is only one DMA summary per Search Head Cluster, not one for each cluster member.

0 Karma

MHollerbach1
Engager
0 Karma

robertl_kinney
Explorer

Thank you, but I'm still a bit confused. Per your answer: does that mean the standalone SH is unable to take advantage of the DMA? Maybe all I need to do is enable DMA on the standalone SH, but I'm wary of doing so because 1) I don't know if that would clobber settings for DMA on the SHC and 2) I don't know if that's even the root cause for my issue where the PA dashboards aren't populating

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Yes, the DMA is only usable by the search that created it. To take advantage of DMA on the standalone SH, you need to enable the DMA there as well. Since they are separated by the splunk instance GUID (generated on first SH start and stored in $SPLUNK_HOME/etc/instance.cfg), there will be no conflict between the two.

Whether that is the reason for your PA dashboards not populating is something I can't answer, but it is absolutely possible if the underlying searches are using tstats to search against the accelerated DMs.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...