Data Model Acceleration (DMA) is critical to proper alerting in the Splunk Enterprise Security Suite. This tutorial will walk you through the process of auditing your DMA searches so they’re running as efficiently as possible.
Splunk uses Data Model Acceleration (DMA) to allow searches to run faster than they would against the raw data. This is important for products such as Splunk Enterprise Security (ES), which rely on constantly running searches across significant volumes of data in order to identify anomalies or security-actionable events. Correlation searches within ES will typically run against accelerated data models in order to return results quickly.
Why is performance important?
In a Splunk ES environment, there are searches running constantly. Data model summary searches will run continuously to build the data models, and correlation searches will run on a regular schedule (as often as every 5 minutes) to minimize the amount of time between when an event occurs and when an alert fires.
If DMA summarization falls behind, it can result in missed security alerts. This is because correlation searches will be running against a data model that doesn’t yet contain data for the timeframe where the correlation search is running.
Improving your DMA search efficiency
Here are four ways you can streamline your environment to improve your DMA search efficiency.
1. Identifying data model status
To check the status of your accelerated data models, navigate to Settings -> Data models on your ES search head: