Splunk Enterprise Security

Why are the Data Models not building?

mcxrisley08
Path Finder

I have recently rebuilt our server that hosts the Enterprise Security app here and I am having trouble with some of the Data Models not building. I have tried stop and restarting the acceleration of the models and they all still get stuck at building. Does anyone have any ideas why this may be?

Labels (2)
0 Karma
1 Solution

mcxrisley08
Path Finder

UPDATE: I finally fixed the issue with my data models. After doing some troubleshooting I determined that the data was not normalizing, so I downloaded some add-ons and the data models started building and were searchable within a few minutes.

View solution in original post

mcxrisley08
Path Finder

UPDATE: I finally fixed the issue with my data models. After doing some troubleshooting I determined that the data was not normalizing, so I downloaded some add-ons and the data models started building and were searchable within a few minutes.

mxg142
Explorer

What add-ons did you specifically download? I am experiencing the same thing so additional context as to what/why this is occurring and what you downloaded to fix the issue would be helpful.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@mcxrisley08 If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mcxrisley08
Path Finder

UPDATE: I still have not fixed this issue but have noticed that whenever I run a search for the tags associated with the data models that are not building, I get 0 results. So I created one of the tags to see if this would fix this issue. The search found the events but matched 0 of 1,879,456 events. Maybe the tags not existing or being able to find the data could be associated with the data models not building?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...