Knowledge Management

Is it possible to schedule the rebuild of an accelerated data model?

andrewtrobec
Builder

Hello everyone,

It recently came to my attention that data coming from a lookup within my accelerated data model was not populating correctly. The symptom was that I was finding blank fields where the lookup data should have been. I managed to resolve this issue by simply rebuilding the model by manually clicking the "rebuild" button. I have no idea why this happened, but I would like to have the opportunity of automatically calling this rebuild function for the model so that I can avoid a re-occurrence in future.

Is there a parameter in datamodels.conf or a search command that I can use to automatically invoke this rebuild function?

Thanks!

Andrew

ivanreis
Builder

I did a search at datamodel.conf and I did not find any command where this can be done automatically, but it seams splunk run a type of correction when identifies the datamodel is not up to date for acceleration function. This is the only attribute I found when I source for rebuild

acceleration.manual_rebuilds =
* ADVANCED: When set to 'true,' this setting prevents outdated summaries from
being rebuilt by the 'summarize' command.
* Normally, during the creation phase, the 'summarize' command automatically
rebuilds summaries that are considered to be out-of-date, such as when the
configuration backing the data model changes.
* The Splunk software considers a summary to be outdated when:
* The data model search stored in its metadata no longer matches its current
data model search.
* The search stored in its metadata cannot be parsed.
* NOTE: If the Splunk software finds a partial summary be outdated, it always
rebuilds that summary so that a bucket summary only has results corresponding to
one datamodel search.
* Defaults to: false

I took this definition from this link
https://docs.splunk.com/Documentation/ITSI/4.3.0/Configure/datamodels.conf#GLOBAL_SETTINGS

andrewtrobec
Builder

Thanks for taking the time, I appreciate it! I also found that setting and I'm assuming that it's better to be left to the default value of "false". I mean, I think it's better to have Splunk rebuild the summaries.

One thing that I think might fix this problem is to have the lookup configured within the datamodel itself. Right now it is an automatic lookup that is associated to the sourcetype...

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...