Splunk Enterprise Security

Does Enterprise Security automatically re-enable data model acceleration?

Lowell
Super Champion

I'm trying to disable acceleration on a data model that's consuming a massive amount of memory on the indexers. All the correlation searches for this data model are disabled, and I'm fine with some of the related dashboards being slow or unavailable (if they use tstats, for example).

I disabled acceleration and it was re-enabled a few hours later. So far no one has confessed to re-enabling it.

So I'm wondering if there's some automatic "protect-you-from-yourself" functionality that turns acceleration back on automatically.

1 Solution

Lowell
Super Champion

Yes, ES will automatically override DM acceleration state. This can be controlled under the "Data Inputs" manager UI. There's an entry called "Data Model Acceleration Enforcement" where this can be controlled on a more permanent basis.

This is controlled via modular input called dm_accel_settings that will enforce these settings.

View solution in original post

Lowell
Super Champion

Yes, ES will automatically override DM acceleration state. This can be controlled under the "Data Inputs" manager UI. There's an entry called "Data Model Acceleration Enforcement" where this can be controlled on a more permanent basis.

This is controlled via modular input called dm_accel_settings that will enforce these settings.

koshyk
Super Champion

do you know how to change it in a Clustered ES system? (coz via its not changeable)

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...