https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/661217#M951 <P>Solution in my case was a field marked as required which was missing in the data - after adding it to the data again the issue was solved.</P> Wed, 18 Oct 2023 15:20:31 GMT _Tom 2023-10-18T15:20:31Z https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297642#M943 <P>Hi,</P> <P>I am new to Data models and accelerations, too. I am trying to parse log for a data model and ES. The log parsing is moving now, but far from the final solution, I can search by Data model/Pivot.</P> <P>I checked the Enterprise Security dashboard, but it does not show anything that can be linked to this logs. I executed the dashboards searches manually, still shows no event matched. (| tstats...) Then I checked Data model acceleration status:<BR /> ACCELERATION<BR /> Rebuild Update Edit<BR /><BR /> Status Building <BR /> Access Count 0. <BR /> Last Access: -<BR /><BR /> Size on Disk 0 B <BR /> Summary Range 31536000 second(s) <BR /> Buckets 0<BR /><BR /> Updated 1/1/70 1:00:00.000 AM </P> <P>What couse the problem, how can I debug and fix it?<BR /> This is the Malware data model, there are events with tag malware and attack. There are events with some action and dest fields to.</P> <P>Regards,<BR /> István</P> Mon, 08 Jan 2018 12:42:41 GMT https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297642#M943 ikulcsar 2018-01-08T12:42:41Z https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297643#M944 <P>check this<BR /> <A href="https://answers.splunk.com/answers/149645/how-to-tell-if-accelerated-data-model-is-still-rebuilding.html">https://answers.splunk.com/answers/149645/how-to-tell-if-accelerated-data-model-is-still-rebuilding.html</A><BR /> it may help you</P> Mon, 08 Jan 2018 12:46:51 GMT https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297643#M944 mayurr98 2018-01-08T12:46:51Z https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297644#M945 <P>Hi,</P> <P>Thx, I already checked the menu/action item under Search &amp; Reporting/Datasets/Malware, Explore/"Visualize with Pivot" and "Investigate in Search". Both show results. (This is the "View Events"?)<BR /> Permissions also look good (scheduler logs).</P> <P>Regards,<BR /> István</P> Mon, 08 Jan 2018 15:31:24 GMT https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297644#M945 ikulcsar 2018-01-08T15:31:24Z https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297645#M946 <P>Hi, a little update:</P> <P>I built a Linux test system instead of Windows-based. Data model acceleration now 100%, but size still 0B.</P> <P>Running tstats searches:<BR /> - with summariesonly=t: no result<BR /> - with summariesonly=f: I've received a valid result.</P> <P>I far as I can see, the searches of the Data model acceleration running with success,</P> <P>Any suggestion?</P> <P>Regards,<BR /> István</P> Thu, 11 Jan 2018 10:18:38 GMT https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297645#M946 ikulcsar 2018-01-11T10:18:38Z https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297646#M947 <P>summariesonly<BR /> Syntax: summariesonly=<BR /> Description: Only applies when selecting from an accelerated data model. When false, generates results from both summarized data and data that is not summarized. For data not summarized as TSIDX data, the full search behavior will be used against the original index data. If set to true, 'tstats' will only generate results from the TSIDX data that has been automatically generated by the acceleration and non-summarized data will not be provided.<BR /> Default: false</P> <P>in your case searches of the Data model acceleration running without success does your search contains tokens? and what is the acceleration period?</P> Thu, 11 Jan 2018 10:27:36 GMT https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297646#M947 mayurr98 2018-01-11T10:27:36Z https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297647#M948 <P>Hi,</P> <P>This is the built-in Malware data model with 1 year acceleration period.<BR /> ACCELERATION<BR /> Rebuild Update Edit </P> <P>Status 100.00% Completed <BR /> Access Count 0. Last Access: -<BR /><BR /> Size on Disk 0 B<BR /><BR /> Summary Range 31536000 second(s)<BR /><BR /> Buckets 96 <BR /> Updated 1/11/18 11:41:53.000 AM `</P> <P>The search:</P> <PRE><CODE>| tstats prestats=true local=false summariesonly=t allow_old_summaries=true count from datamodel=Malware.Malware_Attacks where * by _time span=10m </CODE></PRE> <P>Regrads,<BR /> István</P> Thu, 11 Jan 2018 10:48:39 GMT https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297647#M948 ikulcsar 2018-01-11T10:48:39Z https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297648#M949 <P>Hi,</P> <P>Thanks everyone for the help. Finally looks like the problem have been solved:<BR /> After I renamed the Add-on to "Enterprise Security conform", the acceleration starts to works... (And ES Endpoint dashboard show the events.) <BR /> <A href="http://docs.splunk.com/Documentation/ES/latest/Install/ImportCustomApps">http://docs.splunk.com/Documentation/ES/latest/Install/ImportCustomApps</A></P> <P>I thought it was only due to configuration distribution for Indexer. Looks like I was wrong.</P> <P>Regards,<BR /> István</P> Sat, 20 Jan 2018 23:08:50 GMT https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/297648#M949 ikulcsar 2018-01-20T23:08:50Z https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/660492#M950 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/209491">@ikulcsar</a>,<BR /><BR />have you found a solution to the problem?<BR />I currently face a similar issue in Splunk 9.0.5 with an accelerated datamodel, completing 100% but with 0 byte size&nbsp;and no results while having 30 buckets and the base-search is returing a million events and no errors.</P> Thu, 12 Oct 2023 09:10:28 GMT https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/660492#M950 _Tom 2023-10-12T09:10:28Z https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/661217#M951 <P>Solution in my case was a field marked as required which was missing in the data - after adding it to the data again the issue was solved.</P> Wed, 18 Oct 2023 15:20:31 GMT https://community.splunk.com/t5/Other-Usage/Data-model-acceleration-status-Building/m-p/661217#M951 _Tom 2023-10-18T15:20:31Z