Other Usage

Data model acceleration status: Building

ikulcsar
Communicator

Hi,

I am new to Data models and accelerations, too. I am trying to parse log for a data model and ES. The log parsing is moving now, but far from the final solution, I can search by Data model/Pivot.

I checked the Enterprise Security dashboard, but it does not show anything that can be linked to this logs. I executed the dashboards searches manually, still shows no event matched. (| tstats...) Then I checked Data model acceleration status:
ACCELERATION
Rebuild Update Edit

Status Building
Access Count 0.
Last Access: -

Size on Disk 0 B
Summary Range 31536000 second(s)
Buckets 0

Updated 1/1/70 1:00:00.000 AM

What couse the problem, how can I debug and fix it?
This is the Malware data model, there are events with tag malware and attack. There are events with some action and dest fields to.

Regards,
István

0 Karma

ikulcsar
Communicator

Hi,

Thanks everyone for the help. Finally looks like the problem have been solved:
After I renamed the Add-on to "Enterprise Security conform", the acceleration starts to works... (And ES Endpoint dashboard show the events.)
http://docs.splunk.com/Documentation/ES/latest/Install/ImportCustomApps

I thought it was only due to configuration distribution for Indexer. Looks like I was wrong.

Regards,
István

0 Karma

mayurr98
Super Champion
0 Karma

ikulcsar
Communicator

Hi,

Thx, I already checked the menu/action item under Search & Reporting/Datasets/Malware, Explore/"Visualize with Pivot" and "Investigate in Search". Both show results. (This is the "View Events"?)
Permissions also look good (scheduler logs).

Regards,
István

0 Karma

ikulcsar
Communicator

Hi, a little update:

I built a Linux test system instead of Windows-based. Data model acceleration now 100%, but size still 0B.

Running tstats searches:
- with summariesonly=t: no result
- with summariesonly=f: I've received a valid result.

I far as I can see, the searches of the Data model acceleration running with success,

Any suggestion?

Regards,
István

0 Karma

mayurr98
Super Champion

summariesonly
Syntax: summariesonly=
Description: Only applies when selecting from an accelerated data model. When false, generates results from both summarized data and data that is not summarized. For data not summarized as TSIDX data, the full search behavior will be used against the original index data. If set to true, 'tstats' will only generate results from the TSIDX data that has been automatically generated by the acceleration and non-summarized data will not be provided.
Default: false

in your case searches of the Data model acceleration running without success does your search contains tokens? and what is the acceleration period?

0 Karma

ikulcsar
Communicator

Hi,

This is the built-in Malware data model with 1 year acceleration period.
ACCELERATION
Rebuild Update Edit

Status 100.00% Completed
Access Count 0. Last Access: -

Size on Disk 0 B

Summary Range 31536000 second(s)

Buckets 96
Updated 1/11/18 11:41:53.000 AM `

The search:

| tstats prestats=true local=false summariesonly=t allow_old_summaries=true count from datamodel=Malware.Malware_Attacks where * by _time span=10m

Regrads,
István

0 Karma

_Tom
Explorer

Hi @ikulcsar,

have you found a solution to the problem?
I currently face a similar issue in Splunk 9.0.5 with an accelerated datamodel, completing 100% but with 0 byte size and no results while having 30 buckets and the base-search is returing a million events and no errors.

0 Karma

_Tom
Explorer

Solution in my case was a field marked as required which was missing in the data - after adding it to the data again the issue was solved.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...