Getting Started With Tstats & Accelerated Data Models – Part 2

You’ve decided tstats and DMA is a good fit for you, or at least worth checking out. Excellent, let’s jump right into it!

Web analytics, now faster!

In this example we’ll look at Apache weblogs from our parent site https://gosplunk.com. We’re going to build the data model from scratch.

Step 1 – Configure your indexes.conf to allow data models

Open your indexes.conf and add the following line:

tstatsHomePath = volume:_splunk_summaries/$_index_name/datamodel_summary

I’ve highlighted it below in my own web_traffic index. Simply change the “$_index_name” section to your index name (in my example I’ve changed my to web_traffic)

Now restart Splunk!

If you’re part of an indexer cluster, push the indexes.conf change via your cluster master.

Step 2 – Build your data model.

Log into Splunk web, navigate to “settings” and choose Data models

Select “New Data Model”

Name and Create your Data Model

Change the permissions (data models won’t accelerate without changing the permissions).

Choose Add dataset, and add a root event. For the sake of simplicity, I’m going to add my own index in there as “index=web_traffic”

Choose Preview and you should see data populate, if there is no data then verify you did not have a typo within your “constraints” section.

Click Save and your data model is created!

Step 3 – Populate your data model with fields.

At this time your data model only has default fields. Let’s change that by adding some auto-extracted fields.

Click “Add-Field” and choose “Auto-Extracted

Add the field of choice in the list below and click “Save”

If you do not see the field you wish to extract, but you are certain it is a field that has a search time extraction select “Add by Name” at the top of the window, and manually type it in.

Click Save.

To verify your fields you can now select “Edit” to the right of a field and choose “Preview” to ensure data populates as expected:

Now exit out of the preview screen.

Step 4 – Accelerate the data model.

It’s time to make the magic happen by accelerating your data model. This can be done by selecting “Edit” and choosing “Edit Acceleration”

Check the box for “Accelerate” Choose a date range for your accelerated data (typically the date range your users will search back for MOST use-cases) then select “Save”

It is now time to hurry up and wait. Go grab a coffee, because this might take some time. You can check on the progress under the main “Data Models” section. There is an auto-refresh on the page, but if you are impatient like I am you can press “refresh” on your browser to manually check the status of the data model build process.

When it’s finished you’ll see a status of 100% completed and a size on disk. As I mentioned earlier this is one way to see the additional disk space required for DMA. You’ll want to be mindful of this if you have severe disk limitations.

In the next section we’ll show how to start using data models and write tstats queries.

Advertisements

Add Comment

Required fields are marked *. Your email address will not be published.