Splunk Enterprise

Data Model Does Not Show Any Events

Armando
Explorer

My Network_Traffic data model was working just fine this morning. I stopped the acceleration so that I could add more fields to the All_Traffic data set. It seems that after I did that, it no longer captures any events. I even tried replacing the original constraint of "(`cim_Network_Traffic_indexes`) tag=network tag=communicate" with "index=*" and I still don't get any events during the preview. I tried rebuilding the summaries and that didn't seem to fix the issue. I've also restarted the Splunk Enterprise instance and the server itself with no luck. Lastly, I cloned the data model just for fun but  I still get the same behavior. Has anyone experienced this? If so, were you able to resolve the issue? 

Labels (1)
0 Karma
1 Solution

Armando
Explorer

This issue was caused by my own doing. The new fields I added were created as required. I believe the reason it seemed to work OK at first must be that all my initially sampled events just so happened to all include those new required fields. Fields were deleted, recreated as optional, and the data model summary has been rebuilt. Everything is working as intended now.

View solution in original post

0 Karma

Armando
Explorer

This issue was caused by my own doing. The new fields I added were created as required. I believe the reason it seemed to work OK at first must be that all my initially sampled events just so happened to all include those new required fields. Fields were deleted, recreated as optional, and the data model summary has been rebuilt. Everything is working as intended now.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...