https://community.splunk.com/t5/Splunk-Enterprise/When-did-having-an-index-become-mandatory-Is-it-possible-to-turn/m-p/609863#M13666 <P>- Go to settings &gt; all configuration &gt; search for your datamodel constraint index e.g. cim_Malware_indexes<BR />- edit the macro definition from "()" to "(index=*)" and save the macro<BR />- go back to the datamodel constraint and remove any additional info not included in the original constraint "<SPAN>(`cim_Malware_indexes`) tag=malware tag=attack"</SPAN> and save the datamodel<BR />- go back to the macro and reverse "(index=*)" to "()"<BR /><BR />your datamodel should now have the (`cim_Malware_indexes`) tag=malware tag=attack as it's constraints<BR /><BR /></P> Wed, 17 Aug 2022 20:03:50 GMT sylax 2022-08-17T20:03:50Z https://community.splunk.com/t5/Splunk-Enterprise/When-did-having-an-index-become-mandatory-Is-it-possible-to-turn/m-p/532538#M4398 <P>I'm doing some testing and figured out I need to run this in a savedsearch to extract the JSON field values.</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=dam sourcetype="imperva:dam" | eval dam_json=_raw | rex field=dam_json mode=sed "s/^.* \{/{/g" | eval dam_json=replace(dam_json, "\\\\", "-") | spath input=dam_json</LI-CODE> <P>&nbsp;</P> <P>This removes the header "<SPAN class="t">Dec</SPAN> <SPAN class="t">9</SPAN> <SPAN class="t">20:15:27</SPAN> <SPAN class="t">FQDN</SPAN>" and leaves the JSON between the {}.&nbsp; When I try to use the saved search in a datamodel I get this error</P> <P>&nbsp;</P> <LI-CODE lang="markup">In handler 'datamodeledit': Error in 'Imperva_DB_Audit': Dataset constraints must specify at least one index. </LI-CODE> <P>&nbsp;</P> <P><SPAN class="search-string">The Splunk version on my laptop is Splunk 8.1.0 (build f57c09e87251).&nbsp; On the production system we are running Splunk 7.3.6 (build 47d8552a4d84) and an index isn't necessary since we have one datamodel with this as the constraints.</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="markup">dlp_rule_severity="HIGH"</LI-CODE> <P>&nbsp;</P> <P><SPAN class="search-string">So two questions.&nbsp; When did having an index become mandatory?&nbsp; Is it possible to turn off the mandatory feature?&nbsp; If not, we will have to go through our datamodels before we upgrade.<BR /></SPAN></P> <P>TIA,</P> <P>Joe</P> Wed, 17 Aug 2022 20:07:08 GMT https://community.splunk.com/t5/Splunk-Enterprise/When-did-having-an-index-become-mandatory-Is-it-possible-to-turn/m-p/532538#M4398 jwhughes58 2022-08-17T20:07:08Z https://community.splunk.com/t5/Splunk-Enterprise/When-did-having-an-index-become-mandatory-Is-it-possible-to-turn/m-p/543913#M5284 <P>Hi -</P><P>I can't offer any suggestions, but am also running into the same issue.&nbsp; Using a DM on Splunk 7.2.1 with no problems.&nbsp; The DM constraints use tags from eventtypes that include the index/sourcetype.&nbsp; Have never seen the "Dataset constraints must specify at least one index" on 7.2.1</P><P>However migrating the DM over to an 8.0.6 splunk, this error appears for each root search:&nbsp; "This object has no explicit index constraint. Consider adding one for better performance." and editing a constraint results in "In handler 'datamodeledit': Error in 'WT_CloudInfrastructure': Dataset constraints must specify at least one index."&nbsp; &nbsp;All relevant tags/eventytpes exist.&nbsp;&nbsp;<BR /><BR />As Joe asked, is it possible to disable or fix this problem?<BR /><BR />Thanks,</P><P>Kris</P> Mon, 15 Mar 2021 19:03:35 GMT https://community.splunk.com/t5/Splunk-Enterprise/When-did-having-an-index-become-mandatory-Is-it-possible-to-turn/m-p/543913#M5284 krispyswitch 2021-03-15T19:03:35Z https://community.splunk.com/t5/Splunk-Enterprise/When-did-having-an-index-become-mandatory-Is-it-possible-to-turn/m-p/609863#M13666 <P>- Go to settings &gt; all configuration &gt; search for your datamodel constraint index e.g. cim_Malware_indexes<BR />- edit the macro definition from "()" to "(index=*)" and save the macro<BR />- go back to the datamodel constraint and remove any additional info not included in the original constraint "<SPAN>(`cim_Malware_indexes`) tag=malware tag=attack"</SPAN> and save the datamodel<BR />- go back to the macro and reverse "(index=*)" to "()"<BR /><BR />your datamodel should now have the (`cim_Malware_indexes`) tag=malware tag=attack as it's constraints<BR /><BR /></P> Wed, 17 Aug 2022 20:03:50 GMT https://community.splunk.com/t5/Splunk-Enterprise/When-did-having-an-index-become-mandatory-Is-it-possible-to-turn/m-p/609863#M13666 sylax 2022-08-17T20:03:50Z