The following are the spec and example files for datamodels.conf.
# Version 6.0 # # This file contains possible attribute/value pairs for configuring datamodels. # To configure a datamodel for an app, put your custom datamodels.conf in # $SPLUNK_HOME/etc/apps/MY_APP/local/ # For examples, see datamodels.conf.example. You must restart Splunk to enable configurations. # To learn more about configuration files (including precedence) please see the documentation # located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # GLOBAL SETTINGS # Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top of the file. # * Each conf file should have at most one default stanza. If there are multiple default # stanzas, attributes are combined. In the case of multiple definitions of the same # attribute, the last definition in the file wins. # * If an attribute is defined at both the global level and in a specific stanza, the # value in the specific stanza takes precedence. [<datamodel_name>] * Each stanza represents a datamodel; the datamodel name is the stanza name. acceleration = <bool> * Set this to true to enable automatic acceleration of this datamodel * Automatic acceleration will create auxiliary column stores for the fields and values in the events for this datamodel on a per-bucket basis. * These column stores take additional space on disk so be sure you have the proper amount of disk space. Additional space required depends on the number of events, fields, and distinct field values in the data. * These column stores are created and maintained on a schedule you can specify with 'acceleration.cron_schedule', and can be later queried with the 'tstats' command acceleration.earliest_time = <relative-time-str> * Specifies how far back in time Splunk should create these column stores * Specified by a relative time string, e.g. '-7d' accelerate data within the last 7 days * Defaults to the empty string, meaning create these stores for all time acceleration.cron_schedule = <cron-string> * Cron schedule to be used to probe/generate the column stores for this datamodel
# Version 6.0 # # Configuration for example datamodels # # An example of accelerating data for the 'mymodel' datamodel for the # past five days, generating and checking the column stores every 10 minutes [mymodel] acceleration = true acceleration.earliest_time = -5d acceleration.cron_schedule = */10 * * * *
This documentation applies to the following versions of Splunk® Enterprise: 6.0