Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best practice to change the definition of a datamodel

marcokrueger
Path Finder
‎04-20-2015 11:51 PM

hi,
I have a heavy datamodel which is used by several dashboards. The acceleration takes more than one hour so when I change the definition of the model, the dashboards are not usable for at least one hour.
What is the best way to manage such a case without any model downtime ?

Like a pre-acceleration of the new model and than switching the two models, the old and the new one?

best regards Marco

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-21-2015 12:16 AM

I think you're half way there. In order to enact this plan with near-zero downtime, you'd need to build a macro for that datamodel name so that all the dashboards use something like `beefy_DM_all_users` who's value holds the name of your datamodel. That way, if you clone the datamodel (or import it ) and make your change, then accelerate... once it's ready to go, you just change the value of the macro to point to your new datamodel ie, beefyDMallUsers16 and all the dashboards now point to the new one.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Reply
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-21-2015 12:16 AM

I think you're half way there. In order to enact this plan with near-zero downtime, you'd need to build a macro for that datamodel name so that all the dashboards use something like `beefy_DM_all_users` who's value holds the name of your datamodel. That way, if you clone the datamodel (or import it ) and make your change, then accelerate... once it's ready to go, you just change the value of the macro to point to your new datamodel ie, beefyDMallUsers16 and all the dashboards now point to the new one.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Solved! Jump to solution

marcokrueger
Path Finder
‎04-21-2015 01:10 AM

Thank you for the input. 🙂 What can I do for Users using pivot and saved dashboards via the webapp so dont use macros?

0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-21-2015 04:33 PM

Pivot is going to be a puzzle...
Because it starts with the datamodel and then it's attached to it.
Now you can either enact or instruct people that they must replace the datamodel name (in the search string) with your macro but that'll happen over and over. (dashboard, edit panels, click the pivot icon, edit search string.
(this is just text in the dashboard... so theoretically, you could run a clean up script to overwrite the name of the dashboard with the macro...

but that might be overkill

So I think you might have to consider that any changes would have to happen off hours... and you might just be stuck with the one datamodel being edited and accelerated. 😕

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...