Splunk Enterprise Security

Why are the Data Models not building?

mcxrisley08
Path Finder

I have recently rebuilt our server that hosts the Enterprise Security app here and I am having trouble with some of the Data Models not building. I have tried stop and restarting the acceleration of the models and they all still get stuck at building. Does anyone have any ideas why this may be?

Labels (2)
0 Karma
1 Solution

mcxrisley08
Path Finder

UPDATE: I finally fixed the issue with my data models. After doing some troubleshooting I determined that the data was not normalizing, so I downloaded some add-ons and the data models started building and were searchable within a few minutes.

View solution in original post

mcxrisley08
Path Finder

UPDATE: I finally fixed the issue with my data models. After doing some troubleshooting I determined that the data was not normalizing, so I downloaded some add-ons and the data models started building and were searchable within a few minutes.

mxg142
Explorer

What add-ons did you specifically download? I am experiencing the same thing so additional context as to what/why this is occurring and what you downloaded to fix the issue would be helpful.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@mcxrisley08 If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mcxrisley08
Path Finder

UPDATE: I still have not fixed this issue but have noticed that whenever I run a search for the tags associated with the data models that are not building, I get 0 results. So I created one of the tags to see if this would fix this issue. The search found the events but matched 0 of 1,879,456 events. Maybe the tags not existing or being able to find the data could be associated with the data models not building?

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...