Splunk App for Enterprise Security: Network Resolu...

shaung · ‎06-12-2015

The only error I can find which seems relevant is this:

06-12-2015 11:21:59.013 -0600 INFO  SavedSplunker - savedsearch_id="nobody;Splunk_SA_CIM;_ACCELERATE_DM_Splunk_SA_CIM_Network_Resolution_ACCELERATE_", user="nobody", app="Splunk_SA_CIM", savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Network_Resolution_ACCELERATE_", status=skipped, reason="maxAutosummary limit reached", scheduled_time=1434129420

However, I cannot find any details on maxAutoSummary limited reached.

aholzel · ‎12-11-2015

I know it is a bit late but for those that have the same problem and land on this page (like myself):
The problem setting is "auto_summary_perc" in limits.conf
From docs:

auto_summary_perc = <integer>
* The maximum number of concurrent searches to be allocated for auto
  summarization, as a percentage of the concurrent searches that the scheduler
  can run.
* Auto summary searches include:
  * Searches which generate the data for the Report Acceleration feature.
  * Searches which generate the data for Data Model acceleration.
* Note: user scheduled searches take precedence over auto summary searches.
* Defaults to 50.

mdessus_splunk · ‎06-24-2015

Is there any information in the ES datamodel audit dashboard ?
Does all other datamodel are working well ?
What are your hardware spec and your volume of data indexed per day ?

Splunk App for Enterprise Security: Network Resolution Data Model not building

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?