Hello!! I have a question about how to do something.
Within an index I have a field called entity, this corresponds to companies to which we manage their products.
In total we have 130 different entities, and each entity has 5 different users, and the entity only sees its information in the reports, it cannot see the information of other entities.
The information of all the entities is stored in a single index, doing 130 indexes to assign permissions seemed a little long task, and the provider in charge recommended for this, use loockups.
We have a loockup that says the name of the user and the name of the entity, and with a token in the dashboards we filter the information. With this everyone sees what they need to see. We add the user field that comes from the loockup in the datamodel
The problem we have is that when we enter a new user in the loockup, if the data model is accelerated, it never updates the information for this new user, if we do not accelerate the datamodel, the information is updated immediately.
We tried to disable the acceleration and put it back, but it still didn't work for us, it kept bringing the same information before we made the change in the loockup.
Another approach we did was to do an automatic loockup on the index, but the same thing happens, if it is not accelerated, it updates the information immediately, but if it is, it stays the same.
And if we build the datamodel again, creating it with another name, but with the same root event and the same fields, if it brings the updated information.
What other suggestions would you have to do something like this? Or that they see that I am doing wrong so that the process does not work as I think it should work? I leave three additional images, one of the loockup, and another of the accelerated datamodel and without acceleration, so that you can see the differences.
Thanks a lot!!
Lookup
With acceleration
Without acceleration
Hi @DaniloMejia,
In order to be able to make changes in the lookup, you shouldn't put it inside root search, instead you should use lookup command on dashboard, report etc. As a sample;
|tstast count from datamodel=Datamodel_Name by codigo_entidad | lookup permisos_entidades codigo_entidad OUTPUTNEW usuario
If this reply helps you an upvote is appreciated.
Hi @DaniloMejia,
In order to be able to make changes in the lookup, you shouldn't put it inside root search, instead you should use lookup command on dashboard, report etc. As a sample;
|tstast count from datamodel=Datamodel_Name by codigo_entidad | lookup permisos_entidades codigo_entidad OUTPUTNEW usuario
If this reply helps you an upvote is appreciated.
This is working!! Thank you very much!!
Hi @DaniloMejia,
Datamodel acceleration creates a separate summary index data using the values on acceleration. Lookup values are being recorded also in this summary. That is why further changes on your lookups will not be updated. When you disable acceleration, summary will not be used, your searches will use actual data and lookup values.
The safest way would be removing lookup commands from datamodel fields and adding lookup command to the end of your search.
If this reply helps you an upvote is appreciated.
I am trying this in search root:
index="idx_informes_transacciones" sourcetype="st_trx_exitosas_noexitosas" source="trx_exitosas_noexitosas" codigo_entidad="00000105" | lookup permisos_entidades codigo_entidad OUTPUTNEW usuario
but when I accelerate the data model it is stuck in building, I imagine it is because of the lookup command, because it is a nonstreaming command.
And what I'm looking for is to be able to speed up the data model and be able to make changes in the lookup
Thank you for the help!!