Knowledge Management

Datamodel issues

damode
Motivator

When I pivot a particular datamodel, I get this error, "Datamodel 'Splunk_CIM_Validation.Vulnerabilities' had an invalid search, cannot get indexes to search"

After inspecting the search.log, I noticed these two error messsages.

07-08-2020 20:16:24.484 ERROR AdminManagerValidation - 'undefineduundefined' is not a time string.
07-08-2020 20:16:24.484 ERROR DataModelValidator - 'undefineduundefined' is not a time string.

Can someone please help how to fix this issue ?

Labels (1)
0 Karma
1 Solution

damode
Motivator

Thanks for your help. I was able to fix the issue by disabling the datamodel acceleration which was still stuck on "building" status.

View solution in original post

0 Karma

misterduke
Explorer

Hello,

 

here is a similar topic. did you try those steps? 

in a nutshell you should check the datamodel and the macro and look what's in it. if the datamodel uses a macro and this particular macro tries to search an index that doesn't exist, you get an error. if the SPL within the datamodel/macro lacks something, you get an error.

 

you can expand macros btw with STRG (or command)+Shift+E

 

hope that helps

0 Karma

damode
Motivator

Thanks for your help. I was able to fix the issue by disabling the datamodel acceleration which was still stuck on "building" status.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...