Datamodel accleration status 100%, why do I need a...

Knowledge Management

I have enabled the Network_Traffic data model with acceleration going back 32 days. After a recent Splunk upgrade to
Splunk: 7.2.6
Splunk ES: 5.2.2

I noticed that my Network Traffic data model count volumes dropped off after going back about 2 weeks, despite an acceleration status of 100% complete. Found that by setting allowoldsummaries=t I could get all of the data.

Tried re-indexing the data model. It seemed to pick up data further back, but still not all of it.
I can check the model with this:

| tstats summariesonly=t allow_old_summaries=t count as DMcountWithOld from datamodel=Network_Traffic.All_Traffic by span=1d _time 
| append [tstats summariesonly=t count as DMcountNoOld from datamodel=Network_Traffic.All_Traffic by span=1d _time ]
| timechart span=1d sum(DMcountWithOld) as DMcountWithOld sum(DMcountNoOld) as DMcountNoOld

and I still see results diverge starting about 2 weeks back

Any ideas on why the data model acceleration fizzled out?

If it matters, ES is on a 6 search head cluster

77 KB

Get Updates on the Splunk Community!

Datamodel accleration status 100%, why do I need allow_old_summaries=t?

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

Are you a member of the Splunk Community?

Datamodel accleration status 100%, why do I need allow_old_summaries=t?

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!