Splunk Enterprise Security

Splunk App for Enterprise Security: Network Resolution Data Model not building

Engager

The only error I can find which seems relevant is this:

06-12-2015 11:21:59.013 -0600 INFO  SavedSplunker - savedsearch_id="nobody;Splunk_SA_CIM;_ACCELERATE_DM_Splunk_SA_CIM_Network_Resolution_ACCELERATE_", user="nobody", app="Splunk_SA_CIM", savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Network_Resolution_ACCELERATE_", status=skipped, reason="maxAutosummary limit reached", scheduled_time=1434129420

However, I cannot find any details on maxAutoSummary limited reached.

Communicator

I know it is a bit late but for those that have the same problem and land on this page (like myself):
The problem setting is "autosummaryperc" in limits.conf
From docs:

auto_summary_perc = <integer>
* The maximum number of concurrent searches to be allocated for auto
  summarization, as a percentage of the concurrent searches that the scheduler
  can run.
* Auto summary searches include:
  * Searches which generate the data for the Report Acceleration feature.
  * Searches which generate the data for Data Model acceleration.
* Note: user scheduled searches take precedence over auto summary searches.
* Defaults to 50.

Splunk Employee
Splunk Employee

Is there any information in the ES datamodel audit dashboard ?
Does all other datamodel are working well ?
What are your hardware spec and your volume of data indexed per day ?

0 Karma