Reporting

Why isn't my datamodel doesnt returning any data?

graju89
Path Finder

Hi all,

I have upgraded my Splunk from 6.6.6 to 7.1.1 and installed a new Splunk CIM version(4.12). I accelerated a few data models like malware, network traffic and change analysis. Malware data model is 100% completed. When I try with the search query | tstats count from datamodel=Malware | sort -count, it returns 28. So i assume the data model has some data. But it is not showing any data from it.

Note: other data models are in the process of building. My search peers are running 6.6.6(I dont think it matters)

Any idea why it is not showing any data?

0 Karma

graju89
Path Finder

Just an update for the above post. setting summariesonly=f returns data. Also, the statistics of accelerated data is:
Status 100.00% Completed
Access Count 950. Last Access: 11/1/18 11:23:04.000 AM
Size on Disk 167.26 GB
Summary Range 7948800 second(s)
Buckets 1787
Updated 11/1/18 10:54:35.000 AM

Everything looks good. Dont know why summariesonly=true doesnt return anything

0 Karma
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...