All Apps and Add-ons

Accelerated Data Model return results from the last day only

efika
Communicator

In my implementation I have multiple data sources that I mapped to the CIM Authentication data model using tags and partial field aliasing.
Using a |Datamodel query on the non-accelerated data mode return the proper results across the time range I've set. The problem starts when I choose to accelerated the data model. IT doesn't matter if I will choose 1 day, a month or any other value, the pivot or tstat queries will return results only from the last day/24 hours.

Have anyone experienced such an issue before ?

0 Karma
1 Solution

efika
Communicator

Issue resolved !

Before i'll proceed with a description of what I did, a kudos goes to this great community and especially this Answer which gave me the ultimate hint.

So, in my implementation I have multiple sources that because of the specific needs communicate highly heterogeneous events to my indexer, which can also include Windows event logs - but not necessarily in the expected source type for the windows TA.
In order to make use of the event codes logic in the Windows TA I have to enable the Windows TA but also do some local automatic lookups in the context of my application.
this caused conflicts which were eventually resolved by simply checking "overwrite field values" in the local lookups I did.

In addition what helped me get to this resolution is the use of the tstat summariesonly=t statement that allowed me to understand what am I really getting only from the tsidx files.

View solution in original post

0 Karma

efika
Communicator

Another thing to look after when wishing to accelerate Data Models is that the data model and all dependencies are shared globally:

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Acceleratedatamodels

You can only accelerate data models that you have shared to all users of an app or shared globally to all users of your Splunk deployment. You cannot accelerate data models that are private. This prevents individual users from taking up disk space with private data model acceleration summaries.

0 Karma

efika
Communicator

Issue resolved !

Before i'll proceed with a description of what I did, a kudos goes to this great community and especially this Answer which gave me the ultimate hint.

So, in my implementation I have multiple sources that because of the specific needs communicate highly heterogeneous events to my indexer, which can also include Windows event logs - but not necessarily in the expected source type for the windows TA.
In order to make use of the event codes logic in the Windows TA I have to enable the Windows TA but also do some local automatic lookups in the context of my application.
this caused conflicts which were eventually resolved by simply checking "overwrite field values" in the local lookups I did.

In addition what helped me get to this resolution is the use of the tstat summariesonly=t statement that allowed me to understand what am I really getting only from the tsidx files.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@efika, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...