I found this search in ES Content Updates
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Traffic")`
What mean
`summariesonly`
And what should I do to make this search working?
In this search summariesonly
referes to a macro which indicates (summariesonly=true) meaning only search data that has been summarized by the data model acceleration. Summarized data will be available once you've enabled data model acceleration for the data model Network_Traffic.
So first:
Check that the data model is accelerated:
Settings>data models > > edit acceleration
Is the data model complete ~100% or always stuck in building ? If stuck building, is the scheduled search able to run? Here you can check scheduler.log and look for
index=_internal source=*scheduler.log* "*Network_Traffic*"
is the status=successful for these searches?
DMA searches are scheduled searches that run every 5 min to keep the summarized data up to date. Here is an example from scheduler.log of a successful run for the data model "Splunk_Audit"
index=_internal source=*scheduler.log* "*Splunk_Audit*"
10-24-2017 12:40:39.875 -0400 INFO SavedSplunker - savedsearch_id="nobody;Splunk_SA_CIM;ACCELERATE_DM_Splunk_SA_CIM_Splunk_Audit.View_Activity_ACCELERATE", search_type="datamodel_acceleration", user="nobody", app="Splunk_SA_CIM", savedsearch_name="ACCELERATE_DM_Splunk_SA_CIM_Splunk_Audit.View_Activity_ACCELERATE", priority=highest, status=success, digest_mode=1, scheduled_time=1508863200, window_time=0, dispatch_time=1508863201, run_time=20.723, result_count=21, alert_actions="", sid="scheduler_nobody_U3BsdW5rX1NBX0NJTQ_RMD5d055c6aa87889902_at_1508863200_2166", suppressed=0, thread_id="AlertNotifierWorker-0"
| rest splunk_server=local /services/datamodel/acceleration | fields title search
copy the value from the search field for the relevant data model and run that search manually to see if there are any issues running that search
In this search summariesonly
referes to a macro which indicates (summariesonly=true) meaning only search data that has been summarized by the data model acceleration. Summarized data will be available once you've enabled data model acceleration for the data model Network_Traffic.
So first:
Check that the data model is accelerated:
Settings>data models > > edit acceleration
Is the data model complete ~100% or always stuck in building ? If stuck building, is the scheduled search able to run? Here you can check scheduler.log and look for
index=_internal source=*scheduler.log* "*Network_Traffic*"
is the status=successful for these searches?
DMA searches are scheduled searches that run every 5 min to keep the summarized data up to date. Here is an example from scheduler.log of a successful run for the data model "Splunk_Audit"
index=_internal source=*scheduler.log* "*Splunk_Audit*"
10-24-2017 12:40:39.875 -0400 INFO SavedSplunker - savedsearch_id="nobody;Splunk_SA_CIM;ACCELERATE_DM_Splunk_SA_CIM_Splunk_Audit.View_Activity_ACCELERATE", search_type="datamodel_acceleration", user="nobody", app="Splunk_SA_CIM", savedsearch_name="ACCELERATE_DM_Splunk_SA_CIM_Splunk_Audit.View_Activity_ACCELERATE", priority=highest, status=success, digest_mode=1, scheduled_time=1508863200, window_time=0, dispatch_time=1508863201, run_time=20.723, result_count=21, alert_actions="", sid="scheduler_nobody_U3BsdW5rX1NBX0NJTQ_RMD5d055c6aa87889902_at_1508863200_2166", suppressed=0, thread_id="AlertNotifierWorker-0"
| rest splunk_server=local /services/datamodel/acceleration | fields title search
copy the value from the search field for the relevant data model and run that search manually to see if there are any issues running that search
Hello,
thanks for your detailed answer. I have just realized after running :
| rest splunk_server=local /services/datamodel/acceleration | fields title search
that my Endpoint Datamodel has an empty search while all the others have one in place.
What might be the reason for that?
I have manually rebuilt the acceleration. Will this do the trick?
Thank you in advance.
Chris