Data Engineering • Room 3

Data Model Acceleration

Accelerated Data Models are the engine of ES. They build high-performance TSIDX (Time-Series Index) summaries of CIM-mapped data.

By using `tstats` on these accelerated models, Splunk avoids reading raw data from disk, making massive SIEM searches exponentially faster.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Write a query to verify acceleration of the "Network_Traffic" datamodel by using `tstats count from datamodel=Network_Traffic`.

Splunk Search Bar