In my implementation I have multiple data sources that I mapped to the CIM Authentication data model using tags and partial field aliasing.
Using a |Datamodel query on the non-accelerated data mode return the proper results across the time range I've set. The problem starts when I choose to accelerated the data model. IT doesn't matter if I will choose 1 day, a month or any other value, the pivot or tstat queries will return results only from the last day/24 hours.
Have anyone experienced such an issue before ?
Issue resolved !
Before i'll proceed with a description of what I did, a kudos goes to this great community and especially this Answer which gave me the ultimate hint.
So, in my implementation I have multiple sources that because of the specific needs communicate highly heterogeneous events to my indexer, which can also include Windows event logs - but not necessarily in the expected source type for the windows TA.
In order to make use of the event codes logic in the Windows TA I have to enable the Windows TA but also do some local automatic lookups in the context of my application.
this caused conflicts which were eventually resolved by simply checking "overwrite field values" in the local lookups I did.
In addition what helped me get to this resolution is the use of the tstat summariesonly=t statement that allowed me to understand what am I really getting only from the tsidx files.
Another thing to look after when wishing to accelerate Data Models is that the data model and all dependencies are shared globally:
http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Acceleratedatamodels
You can only accelerate data models that you have shared to all users of an app or shared globally to all users of your Splunk deployment. You cannot accelerate data models that are private. This prevents individual users from taking up disk space with private data model acceleration summaries.
Issue resolved !
Before i'll proceed with a description of what I did, a kudos goes to this great community and especially this Answer which gave me the ultimate hint.
So, in my implementation I have multiple sources that because of the specific needs communicate highly heterogeneous events to my indexer, which can also include Windows event logs - but not necessarily in the expected source type for the windows TA.
In order to make use of the event codes logic in the Windows TA I have to enable the Windows TA but also do some local automatic lookups in the context of my application.
this caused conflicts which were eventually resolved by simply checking "overwrite field values" in the local lookups I did.
In addition what helped me get to this resolution is the use of the tstat summariesonly=t statement that allowed me to understand what am I really getting only from the tsidx files.
@efika, please accept the answer to help future readers.