Datamodel Child object not accelerated

Splunk Enterprise Security

We created a child object within the authentication datamodel.
The authentication datamodel is accelerated, when searching the data using summariesonly=t we get data from the root and other childs but not from the child that we created. If we do not use summariesonly=t then we do see data.

As a test i cloned the entire authentication datamodel and accelerated it and then i am able to use summariesonly=t.

What we have tried:
- Rebuild the original authentication datamodel
- Clone the datamodel (works)
- Remove the child object and add it again.

The search we are using:

| tstats summariesonly=t count from datamodel=Authentication_test where nodename=Authentication.Login_Interactive

The only difference i can find is that the original datamodel is in Splunk_SA_CIM and the cloned datamodel is in SplunkEnterpriseSecuritySuite. If anyone has an idea how to get the child element accelerated in the original authentication model i would be a happy splunker.

Get Updates on the Splunk Community!

Datamodel Child object not accelerated

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Datamodel Child object not accelerated

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem