Introduction

If you’re running Splunk Enterprise Security Suite, you are already leveraging accelerated datamodels to power your detections and altering. However, there may be situations where you want to leverage those same datamodels you already have when running searches on your other search heads. You could enable acceleration on all your search heads, but doing so will result in higher resource consumption due to all the duplication of searches running from each search head to build the same datamodel acceleration(DMA) summaries.  

But, there is a better option! Splunk now allows sharing of data model acceleration summaries across search heads, and it’s pretty easy to set up. Here’s how you do it!

1. On the search head that is currently accelerating summaries, identify the datamodels that are currently accelerated that you would like to share.  You can view these by going to Settings -> Data Models.  You’ll also want to verify the app context for each data model.  On a Splunk Enterprise Security (ES) search head, these are typically defined in the Splunk_SA_CIM app.

2. Ensure that the same apps are installed on the search head where you want to share the datamodels.  For example, if all of your datamodels are accelerated in the Splunk_SA_CIM app on the ES search head, you’ll want to make sure that this same app is installed on the new search head.
3. On your ES search head (assuming this is a standalone instance), grab the GUID from $SPLUNK_HOMNE/etc/instance.cfg
4. On your new search head, check out the current status of your datamodels.  Assuming this is a new installation, you won’t see acceleration enabled for any data model.
   5. Configure the acceleration.source_guid parameter for a data model where you want to share the summaries.  I recommend picking one for testing first, then applying others.  In this example, we’ll start with the Acceleration data model.6. Restart Splunk on the new search head, and then check the data models setting page again.  You’ll see that it now indicates the Authentication data model is accelerated:

   7. On the new search head, run the following search to confirm that you can access the shared datamodel.  If you get results, it means it is working!

   
   
   8. Repeat the process for other datamodels that you would like to share, making sure you use the same app context on the new search head as where the datamodels are defined on the origin search head.

   
   9. That’s it!  All of these datamodels are now shared and available on your new search head.

   

Conclusion

At this point, you now know how to leverage shared data model acceleration summaries across your Splunk environment. If you need help getting this set up, or want to enable better security alerting with your Splunk data, reach out to us – we’ll be happy to help!