No indexes are shown for Roles in GUI after upgrade to 7.1.0

### SPL-156316, SPL-145546

Workaround:
Replace the $SPLUNK_HOME/etc/apps/search/default/data/ui/manager/authentication_roles.xml" file on the search head with a version from any Splunk Enterprise 6.6.x release. Refresh the configuration on the search head by calling a debug refresh (http[s]://[splunkweb hostname]:[splunkweb port]/debug/refresh) using a supported web browser.

Splunk 7.1.0 and DMA acceleration backfill.

Splunk version 7.1.0 Datamodel backfill casue heavy load on indexer peers.

SPL-155560, SPL-155219

DMA accelerating too much data when acceleration.backfill_time unset, resulting in heavy indexer load.

Workaround:

acceleration.backfill_time needs to be set for all DMA searches in datamodels.conf. Otherwise the DMA will attempt to accelerate for "all time"

# list all apps using acceleration datamodel on your SH or deployment server (/etc/deployment-apps) run this:

grep --include="datamodels.conf" -R /opt/splunk/etc/apps/ -e "acceleration = true" -e "acceleration = 1"

Then create your changes in /local to prevent that it will be overwritten by upgrades. Also consider to lower the max concurrent from default 3 if your indexer is very busy. For every stanza with acceleration =1 create your config:

/local/datamodels.conf

[stanza]

acceleration.backfill_time = -5d

acceleration.max_concurrent = 2

How many days back you chose to backfill depends on your environments performance, but it can never be more than  “acceleration.earliest_time”

# verify datamodel

https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Acceleratedatamodels

At the SH under Settings – Data Model

List all apps and expand the the Data model that is active and check the status.

 

Splunk - Tips & trix

Search macro

In a query you often tend do refer to indexes like this "index=main sourcetype=syslog" and then you build this into a dashboard. When your creations grow and you need to change to another index this will be many places to edit your code.

Instead go to Settings > Advanced search > Search macro - edit/create your macro, place your index code there "index=main".

Now in your querys in any code refer to this macro instead like this:
`my_macro` sourcetype=syslog
Whenever you need to change index or add more index you only have this one place to edit the macro.

Checkpoint OPSEC LEA Splunk

If you intend to index your Firewall logs into Splunk, consider the size. Normally indexed logs in Splunk is half the original size but in this case, because the Checkpoint format is in binery, the log ends up 3 times as big.

With that in mind, and with Smart Log actually working so good, I wouldn't index all logs but only the Management logs.