Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Data Model Does Not Show Any Events

Armando
Explorer
‎06-24-2020 07:59 PM

My Network_Traffic data model was working just fine this morning. I stopped the acceleration so that I could add more fields to the All_Traffic data set. It seems that after I did that, it no longer captures any events. I even tried replacing the original constraint of "(`cim_Network_Traffic_indexes`) tag=network tag=communicate" with "index=*" and I still don't get any events during the preview. I tried rebuilding the summaries and that didn't seem to fix the issue. I've also restarted the Splunk Enterprise instance and the server itself with no luck. Lastly, I cloned the data model just for fun but  I still get the same behavior. Has anyone experienced this? If so, were you able to resolve the issue? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Armando
Explorer
‎07-02-2020 08:07 AM

This issue was caused by my own doing. The new fields I added were created as required. I believe the reason it seemed to work OK at first must be that all my initially sampled events just so happened to all include those new required fields. Fields were deleted, recreated as optional, and the data model summary has been rebuilt. Everything is working as intended now.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Armando
Explorer
‎07-02-2020 08:07 AM

This issue was caused by my own doing. The new fields I added were created as required. I believe the reason it seemed to work OK at first must be that all my initially sampled events just so happened to all include those new required fields. Fields were deleted, recreated as optional, and the data model summary has been rebuilt. Everything is working as intended now.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...