Reporting

Data Model Acceleration with multiple root events

qjvtenkroode
Explorer

So after some fiddling with Data Models in Splunk 6.1.1, I created a really simple one which uses the internal indexes. It is based on two root events to start: Internal (constraint: index=_internal) and Audit (constraint: index=_audit). Internal has some child objects:

alt text

The model is being accelerated with a timeframe of 1 month. But when opening Pivot and selecting the first root event (Internal) the model returns 0

alt text

While the second root event (Audit) still works fine.

When taking a look at debug logging for the DataModel component, somehow the second root object is accelerated (which conflicts with the documentation stating only the first root event object is accelerated). On top of this the first root event object doesn't do anything anymore.

alt text

Once acceleration on the model is turned off both root event objects work perfectly. Removing the second root event object and then accelerating the model also keeps the model working.

Why is Splunk trying to accelerate the second root event instead of the first? And why does this completely break the first root object, isn't Pivot supposed to fill up the missing frames with raw data?

0 Karma

lrod99
New Member

Acceleration has restrictions, check this out....

https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Aboutdatamodels

To accelerate a data model, it must contain at least one root event dataset, or one root search dataset that only uses streaming commands. Acceleration only affects these dataset types and datasets that are children of those root datasets. You cannot accelerate root search datasets that use nonstreaming commands (including transforming commands), root transaction datasets, and children of those datasets. Data models can contain a mixture of accelerated and unaccelerated datasets.

0 Karma

sibbsnb
Path Finder

Don't create multiple Root Events in a model so you don't give a chance to Splunk to mess up 🙂

0 Karma

Rocket66
Communicator

Maybe the order is done alphabetic ascending, and not chronological/hierarchical?

0 Karma

Rocket66
Communicator

OK, this is weird - not the first bad case regarding datamodels .... open a ticket @ splunk!

0 Karma

qjvtenkroode
Explorer

Sadly enough this is not the case, when I use another name for the root event (in this case I tried this with the name "Whatever", which should be one of the last ones if done alphabetically) the same thing occurs.

The worst part is this even happens in the SAMPLE data models which are there by default. Adding a second root event and accelerating makes the second root event the accelerated one, breaks the first root event while any other root events (e.g. the third, fourth and so on) still work but won't benefit data model acceleration except for ad-hoc acceleration.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...