Data Model Acceleration Enforcement

image

Data Model Acceleration Enforcement

We have seen a few customers run into the following "gotcha" regarding data model acceleration.  Whether it be for temporary or permanent reasons, a user disables acceleration on a data model, which myesteriously is re-enabled after a restart.  To counter this, a feature called Data Model Acceleration Enforcement allows administrators to lock acceleration.  This feature is found under "Setting" > "Data Models."  Here’s how it works:

Through the user interface:

I will be using one of the default data models found within the Splunk App for Enterprise Security called “Network Traffic”.  As a note, all accelerated data models in the Splunk App for Enterprise Security are subject to enforcement.

Since this acceleration is considered a modular input, navigate to "Settings" > "Data Inputs" > "Data Model Acceleration Enforcement" to disable enforcement.

Here you will find all accelerated data models with enforcement enabled:

Simply disable enforcement for the data model of your choosing, then navigate back to "Settings" > "Data Models," and edit the acceleration settings for your data model:

Your changes should now persist, even through restarts!

 

What this looks like through the file system:

If you prefer making these edits through the command line, these configurations are not found within datamodels.conf.  Again, since these are classified as a Data Input, they are found within inputs.conf. 

Let’s use the “Network Traffic” data model again as an example.  The inputs.conf file that contains these configurations in the Splunk App for Enterprise Security would be in this file path: SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local.  As a side note, your enforcement configurations will be save to whichever app you select when the enforcements are created.  Here is a sample of what this file looks like:

As you can see the stanza for Network_Traffic has been disabled.  In fact, if you chose to mass edit data model acceleration enforcement, this would be the way to go.  As a final thought, please remember that when disabling data model acceleration, after enforcement has been disabled, you still need to go back and disable the acceleration itself.  These configurations are merely the “lock on the door."  Hope this tip helps.  Goodbye until next time.

Tags: data model, acceleration, Enterprise Security, Splunk

Subscribe to Our Newsletter

Stay In Touch