Getting Data In

Error Message; The search for datamodel 'abc_123' failed to parse, cannot get indexes to search?

Communicator

I have two indexers in peer that share 1 index, and 1 data model. Both indexers are configured identically. Both data models are accelerated, and responsive to the '| datamodel' command.

When running a dashboard on our search head that uses the data model, we get the following message;

[indexer_2] The search for datamodel 'abc_123' failed to parse, cannot get indexes to search

When searching normally across peers, there are no errors and both indexers are responsive. When acceleration is disabled, there are no errors. However I would like to keep this feature.

1 Solution

Splunk Employee
Splunk Employee

Remove any macro definitions from your data models and expand them. It will work fine after that.

View solution in original post

Motivator

Look at the DM constraints. DMs are picky about the format of the constraints. If there is a macro, it may be hiding a problematic constraint. For instance, you cannot include a subsearch to return a filter.

0 Karma

Esteemed Legend

This is due to a bug that caused eventtypes to no longer be able to use macros. This bug is showing fixed in 6.5.3 for SPL-130614 and SPL-135384 but we can find no releases that show that either SPL-135385 or SPL-135387 are fixed anywhere so if this matters to you, then dogpile onto these JIRAs.

Contributor

Just hit the same issue with Varonis at a custer 🙂

0 Karma

Path Finder

I fixed this issue on the Malware Datamodel that ships with CIM app by disabling or editing any eventtype tag search that used a macro and tags malware/attack.

0 Karma

Splunk Employee
Splunk Employee

That is what I said above. No need to disable anything though, just expand any macros in the data models.

0 Karma

Path Finder

I didn't read eventtype tags from another application as "in the data model". I read it more as macros in the search that populates the data model. Just added some clarification.

0 Karma

Explorer

I had the same problem, please verify everything from the root search to the constraint by disabling acceleration and doing a preview or copy paste your search in the search bar. There could be some issue in your search, in my case there was an unbalanced ) which was the issue.

Contributor

My situation was a missing lookup file. After disabling acceleration, selecting Pivot revealed the source of the error.

0 Karma

Splunk Employee
Splunk Employee

Remove any macro definitions from your data models and expand them. It will work fine after that.

View solution in original post

Contributor

Hey...Would you be able to explain your statement in bit detail.

i am unaware of what is macro def in datamodel.

Thanks

Path Finder

@dmaislin, I am hitting the same problem but my search didn't use any macro. What could be other causes?

0 Karma