Deployment Architecture

How do I use the same data model on multiple search heads?

secuc2r83
Path Finder

Hi,

I have 2 independent Search Heads (SH) (no clustering) and they use the same indexers.

On the first SH: I have a data model, and i want users from the 2nd SH request it.

But it's impossible to share it in parameters.

Is it possible to do this? (because in my mind, a data model stores statistics in a new .tsidx on indexers available for my 2 SH)

Thanks

0 Karma
1 Solution

secuc2r83
Path Finder

Hi,

I contact Splunk support:
They confirm that is not possible to share a "datamodel acceleration" if you are not on a Search Head Cluster (SHC).
Because SH not share the same knowledge objects and configurations.

Hope it helps
Regards

View solution in original post

0 Karma

bandit
Motivator

secuc2r83
Path Finder

Hi,

I contact Splunk support:
They confirm that is not possible to share a "datamodel acceleration" if you are not on a Search Head Cluster (SHC).
Because SH not share the same knowledge objects and configurations.

Hope it helps
Regards

0 Karma

woodcock
Esteemed Legend

You cannot share ADMs between search heads. This stinks because it requires multiple copies of the ADMs on disk (one for each Search Head) and multiple executions of the ADM searches wasting Indexer CPUs to run the same searches (actually, it is possible splunk has been enhanced so that the latter is no longer true).

0 Karma

secuc2r83
Path Finder

Hi woodcock,
Thanks for helping

I don't understand why "technologically" i can't, because when i create a DM:

On SH1 create:  
- local/datamodels.conf
- data/model/DM_test.json
On indexer1 create:
- 1st .tsidx
- 2nd .tsidx when accelerate

If i use another Search-Head:

On SH2 create:  
- local/datamodels.conf
- data/model/DM_test.json

Then nothing to create on indexer, just point to .tsidx create by first one

I won't waste indexer CPUs because data already indexed by 1st DM. (don't want to generate again)
Just want to extract data or stats from .tsidx that already exists
Then no CPUs wasting on indexer but just on SH2 during "Search time"
Something wrong ?

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Becuase different search heads can have different search time extractions and other knowledge objects can be different. This affects what is in the data model and why different search heads can't share the same data models.

0 Karma

HiroshiSatoh
Champion

datamodels.conf needs to be placed in the search head. You need to copy .conf or set it manually.
tsidx is used when acceleration .

0 Karma

secuc2r83
Path Finder

Hi HiroshiSatoh

It works when i do 2 things:
a) Copy datamodels.conf
b) copy "Name_DM".json

But big problem:
When i ask for accelerate data => it build another .tsidx and don't use the first's one
Then i create 2 datamodels .tsidx on indexers with same stats

Any idea ?

0 Karma

HiroshiSatoh
Champion

tsidx is created in the bucket of the index. It is common for each indexer to exist.

0 Karma

secuc2r83
Path Finder

Sorry HiroshiSatoh but i don't understand:
tsidx already exists on my indexers, i just want to point my 2 datamodels on it ?
Is it possible or when accelerate a copy of a datamodels it will always create his own .tsidx ?

Regards

0 Karma

HiroshiSatoh
Champion

Will not you solve in this ”Knowledge Manager Manual”?

https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Acceleratedatamodels

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...