All Apps and Add-ons

Accelerated Data Model return results from the last day only

efika
Communicator

In my implementation I have multiple data sources that I mapped to the CIM Authentication data model using tags and partial field aliasing.
Using a |Datamodel query on the non-accelerated data mode return the proper results across the time range I've set. The problem starts when I choose to accelerated the data model. IT doesn't matter if I will choose 1 day, a month or any other value, the pivot or tstat queries will return results only from the last day/24 hours.

Have anyone experienced such an issue before ?

0 Karma
1 Solution

efika
Communicator

Issue resolved !

Before i'll proceed with a description of what I did, a kudos goes to this great community and especially this Answer which gave me the ultimate hint.

So, in my implementation I have multiple sources that because of the specific needs communicate highly heterogeneous events to my indexer, which can also include Windows event logs - but not necessarily in the expected source type for the windows TA.
In order to make use of the event codes logic in the Windows TA I have to enable the Windows TA but also do some local automatic lookups in the context of my application.
this caused conflicts which were eventually resolved by simply checking "overwrite field values" in the local lookups I did.

In addition what helped me get to this resolution is the use of the tstat summariesonly=t statement that allowed me to understand what am I really getting only from the tsidx files.

View solution in original post

0 Karma

efika
Communicator

Another thing to look after when wishing to accelerate Data Models is that the data model and all dependencies are shared globally:

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Acceleratedatamodels

You can only accelerate data models that you have shared to all users of an app or shared globally to all users of your Splunk deployment. You cannot accelerate data models that are private. This prevents individual users from taking up disk space with private data model acceleration summaries.

0 Karma

efika
Communicator

Issue resolved !

Before i'll proceed with a description of what I did, a kudos goes to this great community and especially this Answer which gave me the ultimate hint.

So, in my implementation I have multiple sources that because of the specific needs communicate highly heterogeneous events to my indexer, which can also include Windows event logs - but not necessarily in the expected source type for the windows TA.
In order to make use of the event codes logic in the Windows TA I have to enable the Windows TA but also do some local automatic lookups in the context of my application.
this caused conflicts which were eventually resolved by simply checking "overwrite field values" in the local lookups I did.

In addition what helped me get to this resolution is the use of the tstat summariesonly=t statement that allowed me to understand what am I really getting only from the tsidx files.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@efika, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...