https://community.splunk.com/t5/Security/Data-Model/m-p/670190#M17461 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262677">@Mohamad_Alaa</a>&nbsp;,</P><P>as I said, you have to enable datamodels and accelerations.</P><P>Ciao.</P><P>Giuseppe&nbsp;</P> Wed, 29 Nov 2023 13:34:19 GMT gcusello 2023-11-29T13:34:19Z https://community.splunk.com/t5/Security/Data-Model/m-p/670112#M17450 <P>is the output of the attached image right?<BR />i can see data model per run duration but by size has no values</P> Wed, 29 Nov 2023 07:38:58 GMT https://community.splunk.com/t5/Security/Data-Model/m-p/670112#M17450 Mohamad_Alaa 2023-11-29T07:38:58Z https://community.splunk.com/t5/Security/Data-Model/m-p/670116#M17451 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262677">@Mohamad_Alaa</a>&nbsp;,</P><P>you should check if the population scheduled searches are running and if they have results.</P><P>It seems that these scheduled searches are running, but they always have empty results.</P><P>Are you using CIM&gt;4.X compliant add-ons?</P><P>Ciao.</P><P>Giuseppe</P> Wed, 29 Nov 2023 08:07:27 GMT https://community.splunk.com/t5/Security/Data-Model/m-p/670116#M17451 gcusello 2023-11-29T08:07:27Z https://community.splunk.com/t5/Security/Data-Model/m-p/670121#M17454 <P>can you elaborate more regarding this point&nbsp;<BR />"you should check if the population scheduled searches are running and if they have results"<BR />How i can check it?</P><P>i installed CIM 5.2.0 and yes i installed TA-addons but not sure about compatibility, do you recommend download to 4.x?</P> Wed, 29 Nov 2023 08:24:13 GMT https://community.splunk.com/t5/Security/Data-Model/m-p/670121#M17454 Mohamad_Alaa 2023-11-29T08:24:13Z https://community.splunk.com/t5/Security/Data-Model/m-p/670125#M17455 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262677">@Mohamad_Alaa</a>&nbsp;,</P><P>when you choose an add-on from splunkbase, you should check the CIM compliance level.</P><P>about population searches, you should see in each Data Model the contrains, this is the population scheduled search</P><P>you should try to run these searches and see if you have results,these results are the records in the DataModel.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 29 Nov 2023 09:22:48 GMT https://community.splunk.com/t5/Security/Data-Model/m-p/670125#M17455 gcusello 2023-11-29T09:22:48Z https://community.splunk.com/t5/Security/Data-Model/m-p/670138#M17458 <P>when i access a data model (authentication for example)<BR />I noticed the below shown error</P><P>"This object has no explicit index constraint. Consider adding one for better performance."</P> Wed, 29 Nov 2023 11:03:21 GMT https://community.splunk.com/t5/Security/Data-Model/m-p/670138#M17458 Mohamad_Alaa 2023-11-29T11:03:21Z https://community.splunk.com/t5/Security/Data-Model/m-p/670156#M17459 <P>at the same time i have a message</P><P>The search "Network - Traffic Volume Per 30m - Model Gen" is related to the correlation search "Network - Unusual Volume of Network Activity - Rule" but it is not enabled even though the correlation search is; this will cause the correlation to fail</P><P>&nbsp;</P> Wed, 29 Nov 2023 11:48:58 GMT https://community.splunk.com/t5/Security/Data-Model/m-p/670156#M17459 Mohamad_Alaa 2023-11-29T11:48:58Z https://community.splunk.com/t5/Security/Data-Model/m-p/670164#M17460 <P>I added specifically the index, still having same issue<BR />I noticed the below as well</P><P>""App configuration<BR />The "Splunk Common Information Model" app has not been fully configured yet.<SPAN>This app has configuration properties that can be customized for this Splunk instance. Depending on the app, these properties may or may not be required.""</SPAN></P><P><SPAN>but not sure how to proceed already index was added and some data models were accelerated, i only have same button not a next or proceed button</SPAN></P><P>&nbsp;</P> Wed, 29 Nov 2023 12:20:52 GMT https://community.splunk.com/t5/Security/Data-Model/m-p/670164#M17460 Mohamad_Alaa 2023-11-29T12:20:52Z https://community.splunk.com/t5/Security/Data-Model/m-p/670190#M17461 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262677">@Mohamad_Alaa</a>&nbsp;,</P><P>as I said, you have to enable datamodels and accelerations.</P><P>Ciao.</P><P>Giuseppe&nbsp;</P> Wed, 29 Nov 2023 13:34:19 GMT https://community.splunk.com/t5/Security/Data-Model/m-p/670190#M17461 gcusello 2023-11-29T13:34:19Z https://community.splunk.com/t5/Security/Data-Model/m-p/670197#M17464 <P>problem solved, i appreciate all your responses<BR /><BR />once i search in SH, i should use the parameter splunk_server=* in order to see results<BR />So obviously this was my issue as i should see results without such paramter<BR /><BR />modified the below on SH, solved it<BR /><BR /></P><P><STRONG>C:\Program Files\Splunk\etc\system\local\distsearch.conf</STRONG></P><P><STRONG>[distributedSearch:dmc_group_indexer]</STRONG></P><P><STRONG>default = false</STRONG></P> Wed, 29 Nov 2023 14:13:12 GMT https://community.splunk.com/t5/Security/Data-Model/m-p/670197#M17464 Mohamad_Alaa 2023-11-29T14:13:12Z https://community.splunk.com/t5/Security/Data-Model/m-p/670203#M17466 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262677">@Mohamad_Alaa</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 29 Nov 2023 14:57:36 GMT https://community.splunk.com/t5/Security/Data-Model/m-p/670203#M17466 gcusello 2023-11-29T14:57:36Z