All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Accelerated Data Model return results from the last day only

efika
Communicator
‎11-21-2017 06:47 AM

In my implementation I have multiple data sources that I mapped to the CIM Authentication data model using tags and partial field aliasing.
Using a |Datamodel query on the non-accelerated data mode return the proper results across the time range I've set. The problem starts when I choose to accelerated the data model. IT doesn't matter if I will choose 1 day, a month or any other value, the pivot or tstat queries will return results only from the last day/24 hours.

Have anyone experienced such an issue before ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

efika
Communicator
‎11-22-2017 04:17 AM

Issue resolved !

Before i'll proceed with a description of what I did, a kudos goes to this great community and especially this Answer which gave me the ultimate hint.

So, in my implementation I have multiple sources that because of the specific needs communicate highly heterogeneous events to my indexer, which can also include Windows event logs - but not necessarily in the expected source type for the windows TA.
In order to make use of the event codes logic in the Windows TA I have to enable the Windows TA but also do some local automatic lookups in the context of my application.
this caused conflicts which were eventually resolved by simply checking "overwrite field values" in the local lookups I did.

In addition what helped me get to this resolution is the use of the tstat summariesonly=t statement that allowed me to understand what am I really getting only from the tsidx files.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

efika
Communicator
‎11-27-2017 06:20 AM

Another thing to look after when wishing to accelerate Data Models is that the data model and all dependencies are shared globally:

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Acceleratedatamodels

You can only accelerate data models that you have shared to all users of an app or shared globally to all users of your Splunk deployment. You cannot accelerate data models that are private. This prevents individual users from taking up disk space with private data model acceleration summaries.

0 Karma
Reply
Solved! Jump to solution
Solution

efika
Communicator
‎11-22-2017 04:17 AM

Issue resolved !

Before i'll proceed with a description of what I did, a kudos goes to this great community and especially this Answer which gave me the ultimate hint.

So, in my implementation I have multiple sources that because of the specific needs communicate highly heterogeneous events to my indexer, which can also include Windows event logs - but not necessarily in the expected source type for the windows TA.
In order to make use of the event codes logic in the Windows TA I have to enable the Windows TA but also do some local automatic lookups in the context of my application.
this caused conflicts which were eventually resolved by simply checking "overwrite field values" in the local lookups I did.

In addition what helped me get to this resolution is the use of the tstat summariesonly=t statement that allowed me to understand what am I really getting only from the tsidx files.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-22-2017 05:14 AM

@efika, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...