KB 096 – Splunk PowerConnnect App DataModel Information
INTRODUCTION
A data model defines fields that create a schema and it can be thought of as a collection of structured information that generates different kinds of searches.
Data model acceleration is a feature that you can use to speed up data models by creating summaries of the datasets. After acceleration, searches based on accelerated data model datasets complete quicker than they did before, as do reports and dashboard panels that are based on those searches.
DATA MODEL TO DASHBOARDS MAPPING
BNW PowerConnect App contains following datamodels and beside them are the dashboards which use that datamodel:
CONFIGURATION
Data Model Acceleration is disabled by default. Admin can enable acceleration and set the acceleration period by the following steps:
- On Splunk’s menu bar, Click on Settings -> Data models
- From the list for Data models, click “Edit” in the “Action” column of the row for the Data model for which acceleration needs to be enabled.
- From the list of actions select Edit Acceleration. This will display the pop-up menu for Edit Acceleration.
- Check Accelerate check box to “Enable” data model acceleration.
- If acceleration is enabled, select the summary range to specify the acceleration period. (Note: This is the time range for which summaries are created. Running search inclusively on this time range will use the summaries and result faster than normal search)
- To save acceleration changes click on the save button.
TROUBLESHOOTING
Splunk recommends 12 CPU cores at 2Ghz or greater speed per core 12GB RAM for proper deployment of Splunk Enterprise. In case the system does not meet these requirements, it may be possible that the acceleration does not happen properly due to the searches getting skipped. The following steps can be followed for troubleshooting:
- On Splunk’s menu bar, Click on Settings -> Monitoring Console
- On the Monitoring Console’s menu bar, Click on Search -> Scheduler Activity: Instance
- One can determine the searches which have skipped by looking at the panels namely ‘Skip Ratio (Last Hour)’, ‘Count of Scheduler Executions Over Time’, ‘Count of Skipped Reports Over Time’ and ‘Count of Skipped Reports by Name and Reason’
- If searches are getting skipped, then following step should be taken to decrease the number of concurrent searches at a given time:
- Open $SPLUNK_HOME -> etc -> apps -> bnw-app-powerconnect-> local -> datamodels.conf (create if not existing)
- Add the following parameter in the datamodels.conf file in the specific datamodel stanza or in a new [default] stanza for global setting:
- Even after that the above step, if searches are getting skipped, then upgrade the core count to the recommended value to allow more concurrent searches at a time.