Running Splunk Enterprise Security at Capacity with Data Model Acceleration
Updated: Oct 19, 2021
Data models and especially their acceleration are often misunderstood by Splunk users. Yet they are absolutely critical, especially for Enterprise Security.
In 2017 I did a presentation at Splunk.conf that is still very relevant. It has the best (according to me) explanation of how data models work and it goes into details about their acceleration: how you can ensure acceleration works, how to make the most of it, and why you need it.
This presentation was one of the highest rated of conf17 and was on the landing page at conf.splunk.com after the conference:
The slides are here: https://conf.splunk.com/files/2017/slides/running-enterprise-security-at-capacity-tuning-es-with-data-model-acceleration.pdf
And the talk is here: https://conf.splunk.com/files/2017/recordings/running-enterprise-security-at-capacity-tuning-es-with-data-model-acceleration.mp4
I shared a couple of really useful dashboards here: https://bitbucket.org/GabrielVasseur/dm-dashboards/
I want to thank Kumar Sumeet, Splunk PS consultant at the time, for his help making sense of Splunk's data model acceleration.