Datamodels getting rebuild after after attaching i...

AKG1_old1 · ‎10-09-2019

Hello,

We are trying to move from Single node installation to multinode/Distributed Search Installation(1SH and 2 Indexer) - Not clustered

for this we have copied full Production installation and attached it as Indexer in new distributed Search Setup.

Issue is datamodels are getting rebuild. Is this expected ?

we have many big datamodels and don't want them to rebuild if possible. It takes 12hrs+ to rebuild and machine is swamped as its heavy process.

FYI : When I copied Full Prod as Indexer I have trimmed down our App (having datamodels)

Kept these files in App and removed everything else. Not sure if there is any other files needed to stop rebuilding datamodels.
app.conf
datamodels.conf
eventtypes.conf
indexes.conf
props.conf
transforms.conf

Thanks

ivanreis · ‎10-09-2019

This is the expected datamodel behavior. Every time you have to edit the datamodel, the acceleration have to be disabled and when you enable it again, splunk will create the summary index to accelerate the output results from datamodel and it is based on the amount of data you have on the datamodel.

for further information check these documents -> https://docs.splunk.com/Documentation/Splunk/7.3.2/Knowledge/Managedatamodels

AKG1_old1 · ‎10-10-2019

Hi,

I understant that if we have to edit datamodel accelration need to be disabled. but in my case I haven't edit datamodels, its exact same. Even I have tried attaching my full installation as Indexer to another SH without changing anything. Still its rebuilding the datamodels.

Just wanted to know if there is any way to move Indexer to another setup without rebuilding datamodels.

Datamodels getting rebuild after after attaching it to new Search Head.

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?