Splunk Enterprise Security

Splunk App for Enterprise Security: Network Resolution Data Model not building


The only error I can find which seems relevant is this:

06-12-2015 11:21:59.013 -0600 INFO  SavedSplunker - savedsearch_id="nobody;Splunk_SA_CIM;_ACCELERATE_DM_Splunk_SA_CIM_Network_Resolution_ACCELERATE_", user="nobody", app="Splunk_SA_CIM", savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Network_Resolution_ACCELERATE_", status=skipped, reason="maxAutosummary limit reached", scheduled_time=1434129420

However, I cannot find any details on maxAutoSummary limited reached.


I know it is a bit late but for those that have the same problem and land on this page (like myself):
The problem setting is "auto_summary_perc" in limits.conf
From docs:

auto_summary_perc = <integer>
* The maximum number of concurrent searches to be allocated for auto
  summarization, as a percentage of the concurrent searches that the scheduler
  can run.
* Auto summary searches include:
  * Searches which generate the data for the Report Acceleration feature.
  * Searches which generate the data for Data Model acceleration.
* Note: user scheduled searches take precedence over auto summary searches.
* Defaults to 50.

Splunk Employee
Splunk Employee

Is there any information in the ES datamodel audit dashboard ?
Does all other datamodel are working well ?
What are your hardware spec and your volume of data indexed per day ?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...