Why are we getting error "The search for datamodel...

bigtyma · ‎12-03-2014

"The search for datamodel 'TS2' failed to parse, cannot get indexes to search"

We are receiving this error on a search head that is hosting the Threatstream/Optic app.

The data model is accelerated and the base search used to generate the constraints is working.

Any ideas or troubleshooting advice is appreciated.

Thank you

jordanperks · ‎05-11-2015

I fixed this issue on the Malware Datamodel that ships with CIM app by disabling or editing any eventtype tag search that used a macro and tags malware/attack.

bigtyma · ‎12-03-2014

Update: I have disabled acceleration for this data model and now the pivot is working correctly. However we would like for acceleration to work. Ideas?

Why are we getting error "The search for datamodel 'TS2' failed to parse, cannot get indexes to search" on a search head with the OPTIC Splunk App?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>

Why are we getting error "The search for datamodel 'TS2' failed to parse, cannot get indexes to search" on a search head with the OPTIC Splunk App?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>