Solved: Datamodel issues

damode · ‎07-08-2020

When I pivot a particular datamodel, I get this error, "Datamodel 'Splunk_CIM_Validation.Vulnerabilities' had an invalid search, cannot get indexes to search"

After inspecting the search.log, I noticed these two error messsages.

07-08-2020 20:16:24.484 ERROR AdminManagerValidation - 'undefineduundefined' is not a time string.
07-08-2020 20:16:24.484 ERROR DataModelValidator - 'undefineduundefined' is not a time string.

Can someone please help how to fix this issue ?

damode · ‎07-13-2020

Thanks for your help. I was able to fix the issue by disabling the datamodel acceleration which was still stuck on "building" status.

View solution in original post

misterduke · ‎07-08-2020

Hello,

here is a similar topic. did you try those steps?

in a nutshell you should check the datamodel and the macro and look what's in it. if the datamodel uses a macro and this particular macro tries to search an index that doesn't exist, you get an error. if the SPL within the datamodel/macro lacks something, you get an error.

you can expand macros btw with STRG (or command)+Shift+E

hope that helps

damode · ‎07-13-2020

Thanks for your help. I was able to fix the issue by disabling the datamodel acceleration which was still stuck on "building" status.

Datamodel issues

data model

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...