Knowledge Management

Datamodel accleration status 100%, why do I need allow_old_summaries=t?

Builder

I have enabled the Network_Traffic data model with acceleration going back 32 days. After a recent Splunk upgrade to
Splunk: 7.2.6
Splunk ES: 5.2.2

I noticed that my Network Traffic data model count volumes dropped off after going back about 2 weeks, despite an acceleration status of 100% complete. Found that by setting allowoldsummaries=t I could get all of the data.

Tried re-indexing the data model. It seemed to pick up data further back, but still not all of it.
I can check the model with this:

| tstats summariesonly=t allow_old_summaries=t count as DMcountWithOld from datamodel=Network_Traffic.All_Traffic by span=1d _time 
| append [tstats summariesonly=t count as DMcountNoOld from datamodel=Network_Traffic.All_Traffic by span=1d _time ]
| timechart span=1d sum(DMcountWithOld) as DMcountWithOld sum(DMcountNoOld) as DMcountNoOld

and I still see results diverge starting about 2 weeks back
alt text

Any ideas on why the data model acceleration fizzled out?

If it matters, ES is on a 6 search head cluster

0 Karma