https://community.splunk.com/t5/Reporting/Accelerated-data-model-with-higher-event-count-than/m-p/405630#M6776 <P>Has anyone seen an issue where an accelerated data model has duplicate events in tsidx files? Occasionally I encounter an issue where there are many more records in the accelerated data model compared to the corresponding index data. </P> <P>I get the data model event count using </P> <PRE><CODE>| tstats count from datamodel=&lt;datamodel&gt; by _time </CODE></PRE> <P>And also see the high count in the pivot GUI. Rebuilding the data model will correct it so that the event counts match. I'd like to be able to prevent this from happening or at least understand why it occurs. <BR /> Around the time that the data model gets 'corrupted', I've noticed a lot of <CODE>sourcetype=splunkd_access</CODE> events are generated with a URI that looks like this:</P> <PRE><CODE>/servicesNS/user1/myapp/admin/summarization/tstats%3ADM_myapp_mydatamodel/touch </CODE></PRE> <P>The <CODE>user1</CODE> in this URI has limited permissions. They have access to <CODE>accelerate_search</CODE> but not to <CODE>schedule_search</CODE> which I think is is required for <CODE>accelerate_search</CODE> to be truly enabled. Anyway this URI is as close as I've been able to get to any sort of explanation. I never see it except when this issue is occurring. Is there any way to block a user role from executing this 'touch' search? Is this a cause or just another symptom?</P> <P>There are 12 datamodels in my app and this is happening to all of them except the slimmest 1 or 2. It occurs most often when the system has a lot of incoming data to crunch so it does seem to be process- or resource-related.</P> Fri, 22 Feb 2019 14:51:33 GMT camillak 2019-02-22T14:51:33Z https://community.splunk.com/t5/Reporting/Accelerated-data-model-with-higher-event-count-than/m-p/405630#M6776 <P>Has anyone seen an issue where an accelerated data model has duplicate events in tsidx files? Occasionally I encounter an issue where there are many more records in the accelerated data model compared to the corresponding index data. </P> <P>I get the data model event count using </P> <PRE><CODE>| tstats count from datamodel=&lt;datamodel&gt; by _time </CODE></PRE> <P>And also see the high count in the pivot GUI. Rebuilding the data model will correct it so that the event counts match. I'd like to be able to prevent this from happening or at least understand why it occurs. <BR /> Around the time that the data model gets 'corrupted', I've noticed a lot of <CODE>sourcetype=splunkd_access</CODE> events are generated with a URI that looks like this:</P> <PRE><CODE>/servicesNS/user1/myapp/admin/summarization/tstats%3ADM_myapp_mydatamodel/touch </CODE></PRE> <P>The <CODE>user1</CODE> in this URI has limited permissions. They have access to <CODE>accelerate_search</CODE> but not to <CODE>schedule_search</CODE> which I think is is required for <CODE>accelerate_search</CODE> to be truly enabled. Anyway this URI is as close as I've been able to get to any sort of explanation. I never see it except when this issue is occurring. Is there any way to block a user role from executing this 'touch' search? Is this a cause or just another symptom?</P> <P>There are 12 datamodels in my app and this is happening to all of them except the slimmest 1 or 2. It occurs most often when the system has a lot of incoming data to crunch so it does seem to be process- or resource-related.</P> Fri, 22 Feb 2019 14:51:33 GMT https://community.splunk.com/t5/Reporting/Accelerated-data-model-with-higher-event-count-than/m-p/405630#M6776 camillak 2019-02-22T14:51:33Z