Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to schedule the rebuild of an accelerated data model?

andrewtrobec
Motivator
‎10-10-2019 01:42 AM

Hello everyone,

It recently came to my attention that data coming from a lookup within my accelerated data model was not populating correctly. The symptom was that I was finding blank fields where the lookup data should have been. I managed to resolve this issue by simply rebuilding the model by manually clicking the "rebuild" button. I have no idea why this happened, but I would like to have the opportunity of automatically calling this rebuild function for the model so that I can avoid a re-occurrence in future.

Is there a parameter in datamodels.conf or a search command that I can use to automatically invoke this rebuild function?

Thanks!

Andrew

Reply

ivanreis
Builder
‎10-10-2019 05:53 PM

I did a search at datamodel.conf and I did not find any command where this can be done automatically, but it seams splunk run a type of correction when identifies the datamodel is not up to date for acceleration function. This is the only attribute I found when I source for rebuild

acceleration.manual_rebuilds =
* ADVANCED: When set to 'true,' this setting prevents outdated summaries from
being rebuilt by the 'summarize' command.
* Normally, during the creation phase, the 'summarize' command automatically
rebuilds summaries that are considered to be out-of-date, such as when the
configuration backing the data model changes.
* The Splunk software considers a summary to be outdated when:
* The data model search stored in its metadata no longer matches its current
data model search.
* The search stored in its metadata cannot be parsed.
* NOTE: If the Splunk software finds a partial summary be outdated, it always
rebuilds that summary so that a bucket summary only has results corresponding to
one datamodel search.
* Defaults to: false

I took this definition from this link
https://docs.splunk.com/Documentation/ITSI/4.3.0/Configure/datamodels.conf#GLOBAL_SETTINGS

Reply

andrewtrobec
Motivator
‎10-10-2019 11:07 PM

Thanks for taking the time, I appreciate it! I also found that setting and I'm assuming that it's better to be left to the default value of "false". I mean, I think it's better to have Splunk rebuild the summaries.

One thing that I think might fix this problem is to have the lookup configured within the datamodel itself. Right now it is an automatic lookup that is associated to the sourcetype...

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...