Reporting

Accelerated data model with higher event count than corresponding indexed data

camillak
Path Finder

Has anyone seen an issue where an accelerated data model has duplicate events in tsidx files? Occasionally I encounter an issue where there are many more records in the accelerated data model compared to the corresponding index data.

I get the data model event count using

| tstats count from datamodel=<datamodel> by _time

And also see the high count in the pivot GUI. Rebuilding the data model will correct it so that the event counts match. I'd like to be able to prevent this from happening or at least understand why it occurs.
Around the time that the data model gets 'corrupted', I've noticed a lot of sourcetype=splunkd_access events are generated with a URI that looks like this:

/servicesNS/user1/myapp/admin/summarization/tstats%3ADM_myapp_mydatamodel/touch

The user1 in this URI has limited permissions. They have access to accelerate_search but not to schedule_search which I think is is required for accelerate_search to be truly enabled. Anyway this URI is as close as I've been able to get to any sort of explanation. I never see it except when this issue is occurring. Is there any way to block a user role from executing this 'touch' search? Is this a cause or just another symptom?

There are 12 datamodels in my app and this is happening to all of them except the slimmest 1 or 2. It occurs most often when the system has a lot of incoming data to crunch so it does seem to be process- or resource-related.

Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...