topic Re: Troubleshooting Data Model Network_Traffic in Dashboards & Visualizations

Troubleshooting Data Model Network_Traffic

daniel_augustyn — Tue, 29 Sep 2020 09:37:20 GMT

I am trying to set up ES and having some issues with Network_Traffic data model. I am getting logs from the firewalls with tags network and communicate, and I also created field alias for some of the fields. But the Network_Traffic data model still doesn't show any results. Any idea how to troubleshoot the issue?

I am getting 0 results after executing this command: | datamodel Network_Traffic All_Traffic search

***I also looked into this document: http://docs.splunk.com/Documentation/ES/3.1/Install/Networkdashboard

Re: Troubleshooting Data Model Network_Traffic

mbenwell — Tue, 29 Sep 2020 09:37:23 GMT

Assuming the current CIM data models here, do you get search results from the root object of the data model:
(cim_Network_Traffic_indexes) tag=network tag=communicate

If no, have you defined indexes in the cim_Network_Traffic_indexes macro? Or do you have the index in your default searched indexes?

Re: Troubleshooting Data Model Network_Traffic

daniel_augustyn — Tue, 29 Sep 2020 09:37:26 GMT

I don't get any results by running this search. How do I define an index in the cim_Network_Traffic_indexes macro for this data model?

Re: Troubleshooting Data Model Network_Traffic

mbenwell — Tue, 29 Sep 2020 09:37:28 GMT

Go to settings>advanced search>search macros. Select 'Splunk Common Information Model' (Splunk_SA_CIM) from the 'app context' menu. It should be listed there.

do you get anything by searching just the tags:
tag=network tag=communicate

Re: Troubleshooting Data Model Network_Traffic

daniel_augustyn — Tue, 29 Sep 2020 09:37:31 GMT

I found these two:

cim_Network_Traffic_indexes (index="network_summary" OR index="network_summary2" OR index="network_summary3")

Re: Troubleshooting Data Model Network_Traffic

mbenwell — Tue, 29 Sep 2020 09:37:34 GMT

So the macro "cim_Network_Traffic_indexes" contains (index="network_summary" OR index="network_summary2" OR index="network_summary3")"?

That seems strange, the network_summary* indexes are from ES, not the original data, that could be the issue. I am not sure why this would be the case, maybe something with your deployment? The macro "cim_Network_Traffic_indexes" should define the indexes to use in the data model. These cim_* macros are really to improve performance

Assuming there is a reason for the network_summary indexes listed in the macro, you could add the real data index to that macro and give it a go, i.e. add " OR index=" in the brackets

Re: Troubleshooting Data Model Network_Traffic

mcxrisley08 — Mon, 26 Mar 2018 16:14:26 GMT

I am having a similar issue with the Network_Traffic data model but mine is stuck on building and has been for a few days. I tried turning off acceleration and turning it back on to see if that would fix it but it still just stays on building.

Re: Troubleshooting Data Model Network_Traffic

ppablo — Mon, 26 Mar 2018 16:51:50 GMT

Hi @mcxrisley08

Since this post is almost 2 years old, I'd suggest posting a new question to get visibility for your issue. Peak traffic in the forum is from now until 1-2pm PST, so it would be a good time to post. Just provide as much detail in your content for users in the community to fully understand your problem so they can help you out. What have you done so far, what your current result is, and what you expect to see.