Splunk Enterprise Security

Data model acceleration not sticking

MKozanic
Path Finder

Hi All,

I'm not that familiar with DMA as I have not had any exposure really to setting up data models so far but am currently having an issue atm with DMA not saying active.

We had to disabled DMA on all ES data models where it was enabled due to an incident recently.  Now that the issues have been resolved, we need to re-enable DMA.

I have attempted to do this by following the below steps: 
1. Go to the ES app
2. Click "Configure" -> "CIM Setup"
3. Check the checkbox next to the "Accelerate" then change the Summary Range to 7 days (- 7 days), then click Save.
4. To verify , click "Configure" -> "Content" -> "Content Management".
5. Filter the type to "Data Model"
6. Check the lightning icon next in the row of the data model if is coloured "yellow".

This looked like it was working for a while, but after checking on it after a few hrs - all DMA had been disabled again.

Not sure why DMA will not stay enabled - have checked settings, nothing obvious as to why this would be happening.

Anyone else out there had this issue or got some idea on something I can check as to why this would be happening?

0 Karma
1 Solution

MKozanic
Path Finder

Thanks @richgalloway , 

While your advise was reverse to what I needed to do, it was correct.

In my case I needed to set acceleration enforcement = True for the models I was trying to enable.

However, due to a known issue version 6.0 (which we are on), I was not able to do this via the GUI and needed to run curl command to update via rest.

curl -ku admin https://<ServerAddress>:8089/servicesNS/nobody/SplunkEnterpriseSecuritySuite/data/inputs/dm_accel_settings/<dataModelName> --data "acceleration=true&manual_rebuilds=true&output_mode=json"

View solution in original post

0 Karma

MKozanic
Path Finder

I have tried to enforce acceleration on one model but am getting an error message: 

MKozanic_1-1627422727057.png

 

I just read this is a known bug with ES 6.0 (we are on 6.0.2) so assuming I will need to look at a work around to get this working.

 

0 Karma

MKozanic
Path Finder

Hi @richgalloway ,

Looking at the setting again, I noticed that enforcement is set to false - just wondering if this needs to be updated to True?

MKozanic_0-1627421810499.png

Would this be the cause of it turning off once after it has been running for a while?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Check the DMA Enforcement settings at Settings->Data Inputs->Datamodel Acceleration Enforcement.  Turn off enforcement for each DMA you wish to disable.  Then go back to the CIM Setup page to turn off the DMA.

---
If this reply helps you, Karma would be appreciated.

MKozanic
Path Finder

Thanks @richgalloway , 

While your advise was reverse to what I needed to do, it was correct.

In my case I needed to set acceleration enforcement = True for the models I was trying to enable.

However, due to a known issue version 6.0 (which we are on), I was not able to do this via the GUI and needed to run curl command to update via rest.

curl -ku admin https://<ServerAddress>:8089/servicesNS/nobody/SplunkEnterpriseSecuritySuite/data/inputs/dm_accel_settings/<dataModelName> --data "acceleration=true&manual_rebuilds=true&output_mode=json"

0 Karma

MKozanic
Path Finder

Hi @richgalloway

Thanks for the response, only we want to enable DMA - not disable.

I did check under DMA Enforcement settings at Settings->Data Inputs->Datamodel Acceleration Enforcement, but all looked OK as best I could see.

Will get some screen shots today and add to post

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...