I am trying to set up ES and having some issues with Network_Traffic data model. I am getting logs from the firewalls with tags network and communicate, and I also created field alias for some of the fields. But the Network_Traffic data model still doesn't show any results. Any idea how to troubleshoot the issue?
I am getting 0 results after executing this command: | datamodel Network_Traffic All_Traffic search
***I also looked into this document: http://docs.splunk.com/Documentation/ES/3.1/Install/Networkdashboard
I am having a similar issue with the Network_Traffic data model but mine is stuck on building and has been for a few days. I tried turning off acceleration and turning it back on to see if that would fix it but it still just stays on building.
Hi @mcxrisley08
Since this post is almost 2 years old, I'd suggest posting a new question to get visibility for your issue. Peak traffic in the forum is from now until 1-2pm PST, so it would be a good time to post. Just provide as much detail in your content for users in the community to fully understand your problem so they can help you out. What have you done so far, what your current result is, and what you expect to see.
Assuming the current CIM data models here, do you get search results from the root object of the data model:
(cim_Network_Traffic_indexes
) tag=network tag=communicate
If no, have you defined indexes in the cim_Network_Traffic_indexes macro? Or do you have the index in your default searched indexes?
I don't get any results by running this search. How do I define an index in the cim_Network_Traffic_indexes macro for this data model?
Go to settings>advanced search>search macros. Select 'Splunk Common Information Model' (Splunk_SA_CIM) from the 'app context' menu. It should be listed there.
do you get anything by searching just the tags:
tag=network tag=communicate
I found these two:
cim_Network_Traffic_indexes (index="network_summary" OR index="network_summary2" OR index="network_summary3")
communicate tag=network tag=communicate | tags outputfield=tag | fillnull value=unknown action,dvc,rule,transport,src,dest | lower(transport)
| fillnull value=0 bytes_in,bytes_out,src_port,dest_port | eval bytes=if(isnull(bytes),bytes_in+bytes_out,bytes) | get_vendor_product
So the macro "cim_Network_Traffic_indexes" contains (index="network_summary" OR index="network_summary2" OR index="network_summary3")"?
That seems strange, the network_summary* indexes are from ES, not the original data, that could be the issue. I am not sure why this would be the case, maybe something with your deployment? The macro "cim_Network_Traffic_indexes" should define the indexes to use in the data model. These cim_* macros are really to improve performance
Assuming there is a reason for the network_summary indexes listed in the macro, you could add the real data index to that macro and give it a go, i.e. add " OR index=" in the brackets