Getting Data In

Error Message; The search for datamodel 'abc_123' failed to parse, cannot get indexes to search?

mcrawford44
Communicator

I have two indexers in peer that share 1 index, and 1 data model. Both indexers are configured identically. Both data models are accelerated, and responsive to the '| datamodel' command.

When running a dashboard on our search head that uses the data model, we get the following message;

[indexer_2] The search for datamodel 'abc_123' failed to parse, cannot get indexes to search

When searching normally across peers, there are no errors and both indexers are responsive. When acceleration is disabled, there are no errors. However I would like to keep this feature.

1 Solution

dmaislin_splunk
Splunk Employee
Splunk Employee

Remove any macro definitions from your data models and expand them. It will work fine after that.

View solution in original post

landen99
Motivator

Look at the DM constraints. DMs are picky about the format of the constraints. If there is a macro, it may be hiding a problematic constraint. For instance, you cannot include a subsearch to return a filter.

0 Karma

woodcock
Esteemed Legend

This is due to a bug that caused eventtypes to no longer be able to use macros. This bug is showing fixed in 6.5.3 for SPL-130614 and SPL-135384 but we can find no releases that show that either SPL-135385 or SPL-135387 are fixed anywhere so if this matters to you, then dogpile onto these JIRAs.

tomasmoser
Contributor

Just hit the same issue with Varonis at a custer 🙂

0 Karma

jordanperks
Path Finder

I fixed this issue on the Malware Datamodel that ships with CIM app by disabling or editing any eventtype tag search that used a macro and tags malware/attack.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

That is what I said above. No need to disable anything though, just expand any macros in the data models.

0 Karma

jordanperks
Path Finder

I didn't read eventtype tags from another application as "in the data model". I read it more as macros in the search that populates the data model. Just added some clarification.

0 Karma

balaji_venkat
Explorer

I had the same problem, please verify everything from the root search to the constraint by disabling acceleration and doing a preview or copy paste your search in the search bar. There could be some issue in your search, in my case there was an unbalanced ) which was the issue.

reed_kelly
Contributor

My situation was a missing lookup file. After disabling acceleration, selecting Pivot revealed the source of the error.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Remove any macro definitions from your data models and expand them. It will work fine after that.

kamal_jagga
Contributor

Hey...Would you be able to explain your statement in bit detail.

i am unaware of what is macro def in datamodel.

Thanks

patng_nw
Communicator

@dmaislin, I am hitting the same problem but my search didn't use any macro. What could be other causes?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...