- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- What does "summariesonly' mean in this Enterprise ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found this search in ES Content Updates
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Traffic")`
What mean
`summariesonly`
And what should I do to make this search working?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this search summariesonly referes to a macro which indicates (summariesonly=true) meaning only search data that has been summarized by the data model acceleration. Summarized data will be available once you've enabled data model acceleration for the data model Network_Traffic.
So first:
Check that the data model is accelerated:
Settings>data models > > edit accelerationIs the data model complete ~100% or always stuck in building ? If stuck building, is the scheduled search able to run? Here you can check scheduler.log and look for
index=_internal source=*scheduler.log* "*Network_Traffic*"
is the status=successful for these searches?
DMA searches are scheduled searches that run every 5 min to keep the summarized data up to date. Here is an example from scheduler.log of a successful run for the data model "Splunk_Audit"
index=_internal source=*scheduler.log* "*Splunk_Audit*"
10-24-2017 12:40:39.875 -0400 INFO SavedSplunker - savedsearch_id="nobody;Splunk_SA_CIM;ACCELERATE_DM_Splunk_SA_CIM_Splunk_Audit.View_Activity_ACCELERATE", search_type="datamodel_acceleration", user="nobody", app="Splunk_SA_CIM", savedsearch_name="ACCELERATE_DM_Splunk_SA_CIM_Splunk_Audit.View_Activity_ACCELERATE", priority=highest, status=success, digest_mode=1, scheduled_time=1508863200, window_time=0, dispatch_time=1508863201, run_time=20.723, result_count=21, alert_actions="", sid="scheduler_nobody_U3BsdW5rX1NBX0NJTQ_RMD5d055c6aa87889902_at_1508863200_2166", suppressed=0, thread_id="AlertNotifierWorker-0"
- if still having issues then run the following search to determine the actual search being run when the scheduled search for the data model acceleration runs:
| rest splunk_server=local /services/datamodel/acceleration | fields title search
copy the value from the search field for the relevant data model and run that search manually to see if there are any issues running that search
- check data model and knowledge object permissions and the app context you are running the search from
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this search summariesonly referes to a macro which indicates (summariesonly=true) meaning only search data that has been summarized by the data model acceleration. Summarized data will be available once you've enabled data model acceleration for the data model Network_Traffic.
So first:
Check that the data model is accelerated:
Settings>data models > > edit accelerationIs the data model complete ~100% or always stuck in building ? If stuck building, is the scheduled search able to run? Here you can check scheduler.log and look for
index=_internal source=*scheduler.log* "*Network_Traffic*"
is the status=successful for these searches?
DMA searches are scheduled searches that run every 5 min to keep the summarized data up to date. Here is an example from scheduler.log of a successful run for the data model "Splunk_Audit"
index=_internal source=*scheduler.log* "*Splunk_Audit*"
10-24-2017 12:40:39.875 -0400 INFO SavedSplunker - savedsearch_id="nobody;Splunk_SA_CIM;ACCELERATE_DM_Splunk_SA_CIM_Splunk_Audit.View_Activity_ACCELERATE", search_type="datamodel_acceleration", user="nobody", app="Splunk_SA_CIM", savedsearch_name="ACCELERATE_DM_Splunk_SA_CIM_Splunk_Audit.View_Activity_ACCELERATE", priority=highest, status=success, digest_mode=1, scheduled_time=1508863200, window_time=0, dispatch_time=1508863201, run_time=20.723, result_count=21, alert_actions="", sid="scheduler_nobody_U3BsdW5rX1NBX0NJTQ_RMD5d055c6aa87889902_at_1508863200_2166", suppressed=0, thread_id="AlertNotifierWorker-0"
- if still having issues then run the following search to determine the actual search being run when the scheduled search for the data model acceleration runs:
| rest splunk_server=local /services/datamodel/acceleration | fields title search
copy the value from the search field for the relevant data model and run that search manually to see if there are any issues running that search
- check data model and knowledge object permissions and the app context you are running the search from
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
thanks for your detailed answer. I have just realized after running :
| rest splunk_server=local /services/datamodel/acceleration | fields title searchthat my Endpoint Datamodel has an empty search while all the others have one in place.
What might be the reason for that?
I have manually rebuilt the acceleration. Will this do the trick?
Thank you in advance.
Chris
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
