Web
Web Data Model
MODEL
Objects
2 Events Edit
Permissions
Shared Globally. Owned by nobody. Edit
ACCELERATION
Rebuild Update Edit
Status
Building
Access Count
0. Last Access: 1969-12-31T19:00:00-05:00
Size on Disk
0.00MB
Summary Range
604800
Buckets
0
Updated
2016-05-13T10:18:11-04:00
It doesn't get past 0, no matter how long I leave it. I've got fields that match the Web CIM data model, and I'm trying to use the App for Web Proxies (https://splunkbase.splunk.com/app/2624/#/documentation ). Also, the instructions (http://docs.splunk.com/Documentation/CIM/4.4.0/User/Install ) optionally call to constrain the indexes each data model searches, but I don't have the Set-Up option. I'm using the latest 4.4 version, and have it installed on a Search Head Cluster.
it's possible that the accelerations are running, but it isn't finding data to accelerate. Some things to check
Make sure you get events back when you run a search like:
| datamodel Web Proxy search
run a search like this to make sure your accelerations are running:
index=_audit "search_id='SummaryDirector*" "user=splunk-system-user" "*web*"`
Regarding the setup: if the SA-CIM is installed, you should see a "Setup" in it's row in the app manager.
That search returns the data that I'm expecting, and are tagged as you say.
I get:dispatched search for savedsearch_id="nobody;Splunk_SA_CIM;_ACCELERATE_DM_Splunk_SA_CIM_Web_ACCELERATE_"
searching for index=_audit "search_id='SummaryDirector*" "user=splunk-system-user" "*web*"
`
I only see "Setup" when I choose one of my three search heads. When I use the VIP address, the "Setup" command isn't listed. Also, when I enter Setup, the index I keep my logs for the web events isn't available. I think that's the problem.
I'm running a search head cluster w/ 3 search heads, and 2 standalone indexers. Why doesn't the Splunk SA Cim APP see the necessary index, when I can search it using the splunk search bar?