Splunk Data Model Acceleration Locations

I like data model accelerations for doing generalized reporting or searching over a large volume of data.

A problem we see at a lot of customers and deployments is that they find themselves running out of disk space because they weren’t expecting the data model accelerations to store data in the default location. Most deployments don’t use the default index locations, they use other volumes (in most cases on attached storage). The thing that bites them is that Splunk manages data model acceleration storage using a different “hidden” volume.

By default, Splunk stores data model accelerations in the default location. Even if you have set up volumes that point to separate paths for your indexes (hot/warm and cold, for example), the DMAs will remain in the default $SPLUNK_DB location. You configure this using the _splunk_summaries volume in indexes.conf:

/opt/splunk/etc/system/default/indexes.conf

tstatsHomePath = volume:_splunk_summaries/$_index_name/datamodel_summary
...
[volume:_splunk_summaries]
path = $SPLUNK_DB
...

If you are using a different path for your hot/warm data, you should change the location of the DMAs to match.

Options

Of course, because this is Splunk, to do this you have some options:

  • Change the tstatsHomePath in a global/default stanza
  • Change the tstatsHomePath for each index configuration
  • Change the _splunk_summaries volume configuration

Best Option

(My opinion, of course) The best option here is to change the _splunk_summaries volume.