Hi Cmerriman, thanks for you effort on this, I had checked in the test01 deployment console -->settings-->datamodel -- but unable to find any data model configured in this instance. So can you please tell me how to find the which data model is configured for the apps/saved search causing the issue.

App name: search
APP Name : DA-deployment_monitor
App name: sos

Kindly help me on this.

Hi Garethatiag, thanks for your effort on this, Can you please guide me how/where I can find the accelerated data models setting on test01 which is the deployment server. From my DMC console, after executing the above query, I could see the above events and from that events, I can fetch the app name and server name not the exact savedsearches name.

Question :

In test01 the below apps are configured but not sure how/where to find the accelerated data models.conf file and saved search details. And also how to fix this issue.

App name: search
APP Name : DA-deployment_monitor
App name: sos

Please garethatiag, help me on the above question, as this issues is pending for more than a week.

Hi Garethatiag, thanks for your effort on this, test01 is the deployment instance and all the three apps are configured under instance, but when checked the deployment console -->settings--knowledge -->datamodel unable to find the data model in deployment instance

But I could see the data model being configured in the cluster search head master server instance. But unable to locate these app in that server under--> opt/splunk/etc/apps/. So can you please help me in how to find out which data model is configured for the apps/saved search causing the issue.

App name: search
APP Name : DA-deployment_monitor
App name: sos

This is the first time I am facing this issue, not having much idea on data models, so please do help
me.

As per the documentation for datamodels can you confirm your inspecting the data model settings in the GUI on a search head...(not the deployer server)

Hi Garethatiag, thanks for your effort on this issue. There are 6 apps throwing the search scheduler status = skipped, out which three apps are configured in the cluster master search heads. search head console -->settings--knowledge -->datamodels.

Query details:
dmc_set_index_internal sourcetype=scheduler (status="skipped")

Event details:

08-27-2017 23:22:51.627 -0400 INFO SavedSplunker - savedsearch_id="nobody;critical_security_controls;ACCELERATE_C090FDA2-105E-4875-A110-3F13FF986151_critical_security_controls_admin_4b2771dc07d5983d_ACCELERATE", search_type="report_acceleration", user="admin", app="critical_security_controls", savedsearch_name="ACCELERATE_C090FDA2-105E-4875-A110-3F13FF986151_critical_security_controls_admin_4b2771dc07d5983d_ACCELERATE", priority=default, status=skipped, reason="The maximum number of concurrent auto-summarization searches on this cluster has been reached", concurrency_category="summarization_scheduled", concurrency_context="cluster-wide", concurrency_limit=15, scheduled_time=1503890400, window_time=0

App name : critical_security_controls

There are 23 data models configured on this app.
1) Alerts 2) Application state 3) authentication 4)certificates 5) change analysis, 6) Data Loss Prevention 7) CIM Validation (S.O.S) 😎 Database 9) Email 10) Hybris script failure 11) Interprocess messaging 12) Instrution detection 13)Inventory 14)JVM 15)Malware 16)Network Resolution (DNS) 17) Network session 18) Network Traffic 19) Performance 20 )splunk audit logs 21) Splunk's internal Audit logs -Sample 22) Splunk's Internal Server Audit logs-Sample 23) Ticket Management 24) Web 25)Vulnerbilities 26)Updates

08-27-2017 23:33:07.111 -0400 INFO SavedSplunker - savedsearch_id="nobody;Splunk_TA_CIM;ACCELERATE_DM_Splunk_TA_CIM_Authentication_ACCELERATE", search_type="datamodel_acceleration", user="nobody", app="Splunk_TA_CIM", savedsearch_name="ACCELERATE_DM_Splunk_TA_CIM_Authentication_ACCELERATE", priority=highest, status=skipped, reason="The maximum number of concurrent auto-summarization searches on this cluster has been reached", concurrency_category="summarization_scheduled", concurrency_context="cluster-wide", concurrency_limit=15, scheduled_time=1503891180, window_time=0

App name: Splunk_TA_CIM

08-27-2017 20:35:05.695 -0400 INFO SavedSplunker - savedsearch_id="nobody;symantec_app;ACCELERATE_DM_symantec_app_Symantec_Endpoint_ACCELERATE", search_type="datamodel_acceleration", user="nobody", app="symantec_app", savedsearch_name="ACCELERATE_DM_symantec_app_Symantec_Endpoint_ACCELERATE", priority=default, status=skipped, reason="The maximum number of concurrent auto-summarization searches on this cluster has been reached", concurrency_category="summarization_scheduled", concurrency_context="cluster-wide", concurrency_limit=15, scheduled_time=1503880500,

App name : symantec_app

Kindly guide me how to fix this problem.

Hi Garethatiag, I have captured everything from the search head console--settings-datamodels-app in the above comments. Kindly guide me to fix the issue.

thanks in advance.

As per https://answers.splunk.com/answers/400227/maximum-number-of-historical-concurrent-system-wid.html you could increase the number of concurrent searches your server can run, this will add more load to your indexers.

If your indexers are not overly busy with CPU/IO then increasing the number of concurrent searches may be a valid option for you, please refer to the linked answer or the limits.conf for configuration you can change.

Changing this setting will require a restart in version 6.5.x and below (I assume it will in higher versions such as 6.6.x but I have not checked)

Hi Garethatiag, Good Morning, hey need to know how to take the list of all auto-summarization searches from search head cluster.

Could you please guide me on how / where I can get this list .
thanks in advance.

I do not have a search for this, i suspect you could query the REST API for all searches and then search for the summarise command or similar.
There might be an answer on SplunkAnswers already or you might want to create a new question.