Solved: Data Model Does Not Show Any Events

Armando · ‎06-24-2020

My Network_Traffic data model was working just fine this morning. I stopped the acceleration so that I could add more fields to the All_Traffic data set. It seems that after I did that, it no longer captures any events. I even tried replacing the original constraint of "(`cim_Network_Traffic_indexes`) tag=network tag=communicate" with "index=*" and I still don't get any events during the preview. I tried rebuilding the summaries and that didn't seem to fix the issue. I've also restarted the Splunk Enterprise instance and the server itself with no luck. Lastly, I cloned the data model just for fun but I still get the same behavior. Has anyone experienced this? If so, were you able to resolve the issue?

Armando · ‎07-02-2020

This issue was caused by my own doing. The new fields I added were created as required. I believe the reason it seemed to work OK at first must be that all my initially sampled events just so happened to all include those new required fields. Fields were deleted, recreated as optional, and the data model summary has been rebuilt. Everything is working as intended now.

View solution in original post

Armando · ‎07-02-2020

This issue was caused by my own doing. The new fields I added were created as required. I believe the reason it seemed to work OK at first must be that all my initially sampled events just so happened to all include those new required fields. Fields were deleted, recreated as optional, and the data model summary has been rebuilt. Everything is working as intended now.

Data Model Does Not Show Any Events

configuration

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk