Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Acrobat logo Download topic as PDF

Accelerate CIM data models

You can accelerate a data model to speed up the data set represented by that data model for reporting purposes. After you accelerate a data model, your reports and dashboard panels that reference the accelerated data model will return results faster. A data model's summary range setting effects the size of the data models on disk, and the processing load of creating accelerated data alongside the index buckets. For more information about accelerating data models, see Enable data model acceleration in the Knowledge Manager Manual for Splunk Enterprise.

Enable data model acceleration

By default, the data model acceleration for all models included in the Splunk Common Information Model Add-on are disabled.

Configure the acceleration parameters of the CIM data models in the CIM Setup view.

  1. In Splunk Web, go to Apps > Manage Apps.
  2. Click on Set up in the row for Splunk Common Information Model.
  3. Click on the Settings tab.
  4. Select a data model that you want to accelerate.
  5. Click the box next to acceleration.enabled to accelerate the model.
  6. (Optional) Configure the advanced acceleration settings.
    Parameter Description
    acceleration.backfill_time How far back in time the Splunk platform should create its column stores, specified as a relative time string. Only set this parameter if you want to backfill less data than the retention period set by 'acceleration.earliest_time'. Refer to datamodels.conf.spec for warnings and limitations.
    acceleration.earliest_time How far back in time the Splunk software should keep these column stores, specified as a relative time string.
    acceleration.max_time The maximum amount of time that the column store creation search is allowed to run, in seconds.
    acceleration.max_concurrent The maximum number of concurrent acceleration instances for this data model that the scheduler is allowed to run.
    acceleration.manual_rebuilds When checked, this setting prevents outdated summaries from being rebuilt by the 'summarize' command. Admins can manually rebuild a data model through the Data Model Manager page by expanding the row for the affected data model and clicking Rebuild.
    For more detailed reference information on these fields, see Advanced configurations for persistently accelerated data models in the Knowledge Manager Manual in the Splunk Enterprise documentation.
  7. Click Save.

For more information about accelerated data models and data model acceleration jobs, see Use the data model audit dashboard in this topic.

Disable acceleration for a data model

If you have Splunk Enterprise Security or the Splunk App for PCI Compliance installed, some of the data models in the CIM are automatically accelerated by configuration settings in these apps. If you want to change which data models are accelerated by these apps, access the Data Model Acceleration Enforcement modular input on your search head and make your changes there. If you attempt to unaccelerate a data model using any other method, including using the Settings tab in the CIM Setup page, your changes will not persist because the the app acceleration enforcement re-accelerates the data models automatically.

If you do not have an app installed that enforces any CIM data models to be accelerated, you can edit the acceleration settings on the CIM Setup page.

  1. In Splunk Web, go to Apps > Manage Apps
  2. Click on Set up in the row for Splunk Common Information Model.
  3. Click on the Settings tab.
  4. Select the data model for which you want to disable acceleration.
  5. Uncheck the box next to acceleration.enabled to stop accelerating this data model.
  6. Click Save.

Change the summary range for data model accelerations

A data model's summary range setting affects the size of the data models on disk, and the processing load of creating accelerated data alongside the index buckets.

  1. In Splunk Web, go to Apps > Manage Apps.
  2. Find the Splunk Common Information Model add-on.
  3. Click Set up to open the CIM Setup page.
  4. Click the Settings tab.
  5. Select the data model you want to change.
  6. Set a summary range:
    1. Review the acceleration.enabled setting. A summary range only applies to accelerated data models.
    2. Review the acceleration.earliest_time setting to determine the current summary range.
    3. Change the acceleration.earliest_time setting. Examples: -1y, -3mon, -1mon, -1w, -1d, or 0 for "All Time".
  7. Select Save.

The CIM Setup page will only display CIM data models. A custom data model will not be displayed and cannot have its settings changed from the CIM Setup page. To change the summary range or other settings on a custom data model, manually edit the datamodels.conf provided with the app or add-on. For more information, see the datamodels.conf spec file in the Splunk Enterprise Admin Manual.

Use the Data Model Audit dashboard

Use the Data Model Audit dashboard to display information about the state of data model accelerations in your environment. Alternatively, use the `cim_datamodelinfo` macro to search the data model statuses from the search bar.

To access the dashboard:

  1. Go to the Search and Reporting app.
  2. In the menu bar, click Dashboards.
  3. Select the Data Model Audit dashboard.

Check the status of data model accelerations

Panel Description
Top Accelerations By Size Displays the accelerated data models sorted in descending order by MB on disk
Top Accelerations By Run Duration Displays the accelerated data models sorted in descending order by the time spent on running acceleration tasks.
Acceleration Details Displays a table of the accelerated data models with additional information.
Last modified on 12 December, 2016
PREVIOUS
Use the CIM to create reports and dashboards
  NEXT
Use the CIM to normalize OSSEC data

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.5.0, 4.6.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters