We have a SHC of three members & 1 Enterprise Security. Prior to 8.0 each were running their own datamodels. Now that shared datamodel summaries is possible, I would like to set this up to reduce performance and disk usage but have questions about the exact implementation as the documentation is vague:
[https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Sharedatamodelsummaries][1]
I know that in datamodels.conf I need to set acceleration.source_guid but that's it.
My questions are:
1. Do I set this on the ES?
2. Do I use /opt/splunk/etc/system/local/datamodels.conf?
3. What would be the best way to verify the datamodels have been consolidated down to 1 copy? (right now datamodels are an exact copy of eachother)
[1]: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Sharedatamodelsummaries
↧