Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Data Model Acceleration with multiple root events

qjvtenkroode
Explorer
‎06-30-2014 11:12 PM

So after some fiddling with Data Models in Splunk 6.1.1, I created a really simple one which uses the internal indexes. It is based on two root events to start: Internal (constraint: index=_internal) and Audit (constraint: index=_audit). Internal has some child objects:

alt text

The model is being accelerated with a timeframe of 1 month. But when opening Pivot and selecting the first root event (Internal) the model returns 0

alt text

While the second root event (Audit) still works fine.

When taking a look at debug logging for the DataModel component, somehow the second root object is accelerated (which conflicts with the documentation stating only the first root event object is accelerated). On top of this the first root event object doesn't do anything anymore.

alt text

Once acceleration on the model is turned off both root event objects work perfectly. Removing the second root event object and then accelerating the model also keeps the model working.

Why is Splunk trying to accelerate the second root event instead of the first? And why does this completely break the first root object, isn't Pivot supposed to fill up the missing frames with raw data?

0 Karma
Reply

lrod99
New Member
‎03-27-2018 03:07 PM

Acceleration has restrictions, check this out....

https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Aboutdatamodels

To accelerate a data model, it must contain at least one root event dataset, or one root search dataset that only uses streaming commands. Acceleration only affects these dataset types and datasets that are children of those root datasets. You cannot accelerate root search datasets that use nonstreaming commands (including transforming commands), root transaction datasets, and children of those datasets. Data models can contain a mixture of accelerated and unaccelerated datasets.

0 Karma
Reply

sibbsnb
Path Finder
‎03-20-2015 03:34 AM

Don't create multiple Root Events in a model so you don't give a chance to Splunk to mess up 🙂

0 Karma
Reply

Rocket66
Communicator
‎07-01-2014 06:00 AM

Maybe the order is done alphabetic ascending, and not chronological/hierarchical?

0 Karma
Reply

Rocket66
Communicator
‎07-01-2014 08:26 AM

OK, this is weird - not the first bad case regarding datamodels .... open a ticket @ splunk!

0 Karma
Reply

qjvtenkroode
Explorer
‎07-01-2014 08:18 AM

Sadly enough this is not the case, when I use another name for the root event (in this case I tried this with the name "Whatever", which should be one of the last ones if done alphabetically) the same thing occurs.

The worst part is this even happens in the SAMPLE data models which are there by default. Adding a second root event and accelerating makes the second root event the accelerated one, breaks the first root event while any other root events (e.g. the third, fourth and so on) still work but won't benefit data model acceleration except for ad-hoc acceleration.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...