- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Network Resolution (DNS) data model doesn't have any data in it
Hello all,
I am trying to get some DNS data into my Network Resolution (DNS) datamodel.
I currently ingest DNS data via the Splunk Stream app which goes into an index called wn_dns_stream.
I have my CIM app white list this index for the Network Resolution (DNS) datamodel.
I have created an event type called dns_stream that is applied to all data with the dns:stream sourcetype.
I also have a tag called dns that gets applied to anything with the eventtype=dns_stream.
In the datamodel settings I can see that Network Resolution looks for the following:
(cim_Network_Resolution_indexes
) tag=network tag=resolution tag=dns
When i search for 'cim_Network_Resolution_indexes' I get my wn_dns_stream index with all of its data. In this index I can see my event type and tag that I created.
I then ran this search:
| datamodel "Network_Resolution" summariesonly=true search | timechart span=1h count
this returns nothing even though searching for 'cim_Network_Resolution_indexes' tag=dns returns 300,000 events for the same time period.
Also, I have confirmed with this document that I have the appropriate fields for this data model:
https://docs.splunk.com/Documentation/CIM/4.14.0/User/NetworkResolutionDNS
Does anyone know why my data model doesn't seem to see any data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same issue and I didn't managed to fix it for the moment.
I will post the Splunk support answer as nobody provide answers on this forum...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you find the answer? I'm new to this platform and got stuck at the same problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

And do you have acceleration enabled on this datamodel? The summariesonly=true option tells Splunk to only use accelerated summaries for searching, not the raw events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your reply. I've solved the problem. It is related to the wrong definition of my Macro "cim_Network_Resolution_indexes"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Ah, so your problem was actually _not_ the same as the original one.
That's why there is rarely a point to digging out old threads 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm afraid I met the same issue described in the original question at that time: I couldn't map data into the data model. The problem was related to the macro (cim_Network_Resolution_indexes) defined in the constraint of the Network Resolution (DNS) data model. I believe the person who asked this question several years ago might also be a beginner like me :). So, since I've solved the problem, the comment I left here was to help anyone else who might get stuck on this issue. Sorry for any inconvenience (if any) caused by bringing up this question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Well, the OP explicitly said that they verified the macro, the tags and so on. So while the symptoms were similar (couldn't find the datamodel), the reason would probably have been different.
Just pointing this out so that we avoid confusion and people can benefit from finding the right answer for their problem in the future 🙂
