Hi,
I am new to Data models and accelerations, too. I am trying to parse log for a data model and ES. The log parsing is moving now, but far from the final solution, I can search by Data model/Pivot.
I checked the Enterprise Security dashboard, but it does not show anything that can be linked to this logs. I executed the dashboards searches manually, still shows no event matched. (| tstats...) Then I checked Data model acceleration status:
ACCELERATION
Rebuild Update Edit
Status Building
Access Count 0.
Last Access: -
Size on Disk 0 B
Summary Range 31536000 second(s)
Buckets 0
Updated 1/1/70 1:00:00.000 AM
What couse the problem, how can I debug and fix it?
This is the Malware data model, there are events with tag malware and attack. There are events with some action and dest fields to.
Regards,
István
Hi,
Thanks everyone for the help. Finally looks like the problem have been solved:
After I renamed the Add-on to "Enterprise Security conform", the acceleration starts to works... (And ES Endpoint dashboard show the events.)
http://docs.splunk.com/Documentation/ES/latest/Install/ImportCustomApps
I thought it was only due to configuration distribution for Indexer. Looks like I was wrong.
Regards,
István
check this
https://answers.splunk.com/answers/149645/how-to-tell-if-accelerated-data-model-is-still-rebuilding....
it may help you
Hi,
Thx, I already checked the menu/action item under Search & Reporting/Datasets/Malware, Explore/"Visualize with Pivot" and "Investigate in Search". Both show results. (This is the "View Events"?)
Permissions also look good (scheduler logs).
Regards,
István
Hi, a little update:
I built a Linux test system instead of Windows-based. Data model acceleration now 100%, but size still 0B.
Running tstats searches:
- with summariesonly=t: no result
- with summariesonly=f: I've received a valid result.
I far as I can see, the searches of the Data model acceleration running with success,
Any suggestion?
Regards,
István
summariesonly
Syntax: summariesonly=
Description: Only applies when selecting from an accelerated data model. When false, generates results from both summarized data and data that is not summarized. For data not summarized as TSIDX data, the full search behavior will be used against the original index data. If set to true, 'tstats' will only generate results from the TSIDX data that has been automatically generated by the acceleration and non-summarized data will not be provided.
Default: false
in your case searches of the Data model acceleration running without success does your search contains tokens? and what is the acceleration period?
Hi,
This is the built-in Malware data model with 1 year acceleration period.
ACCELERATION
Rebuild Update Edit
Status 100.00% Completed
Access Count 0. Last Access: -
Size on Disk 0 B
Summary Range 31536000 second(s)
Buckets 96
Updated 1/11/18 11:41:53.000 AM `
The search:
| tstats prestats=true local=false summariesonly=t allow_old_summaries=true count from datamodel=Malware.Malware_Attacks where * by _time span=10m
Regrads,
István
Hi @ikulcsar,
have you found a solution to the problem?
I currently face a similar issue in Splunk 9.0.5 with an accelerated datamodel, completing 100% but with 0 byte size and no results while having 30 buckets and the base-search is returing a million events and no errors.
Solution in my case was a field marked as required which was missing in the data - after adding it to the data again the issue was solved.