Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

When did having an index become mandatory? Is it possible to turn off the mandatory feature?

jwhughes58
Contributor
‎12-09-2020 01:50 PM

I'm doing some testing and figured out I need to run this in a savedsearch to extract the JSON field values.

 

index=dam sourcetype="imperva:dam"
| eval dam_json=_raw
| rex field=dam_json mode=sed "s/^.* \{/{/g"
| eval dam_json=replace(dam_json, "\\\\", "-") 
| spath input=dam_json

 

This removes the header "Dec 9 20:15:27 FQDN" and leaves the JSON between the {}.  When I try to use the saved search in a datamodel I get this error

 

In handler 'datamodeledit': Error in 'Imperva_DB_Audit': Dataset constraints must specify at least one index.

 

The Splunk version on my laptop is Splunk 8.1.0 (build f57c09e87251).  On the production system we are running Splunk 7.3.6 (build 47d8552a4d84) and an index isn't necessary since we have one datamodel with this as the constraints.

 

dlp_rule_severity="HIGH"

 

So two questions.  When did having an index become mandatory?  Is it possible to turn off the mandatory feature?  If not, we will have to go through our datamodels before we upgrade.

TIA,

Joe

Labels (2)
0 Karma
Reply

sylax
Explorer
‎08-17-2022 01:03 PM

- Go to settings > all configuration > search for your datamodel constraint index e.g. cim_Malware_indexes
- edit the macro definition from "()" to "(index=*)" and save the macro
- go back to the datamodel constraint and remove any additional info not included in the original constraint "(`cim_Malware_indexes`) tag=malware tag=attack" and save the datamodel
- go back to the macro and reverse "(index=*)" to "()"

your datamodel should now have the (`cim_Malware_indexes`) tag=malware tag=attack as it's constraints

0 Karma
Reply

krispyswitch
Loves-to-Learn
‎03-15-2021 12:03 PM

Hi -

I can't offer any suggestions, but am also running into the same issue.  Using a DM on Splunk 7.2.1 with no problems.  The DM constraints use tags from eventtypes that include the index/sourcetype.  Have never seen the "Dataset constraints must specify at least one index" on 7.2.1

However migrating the DM over to an 8.0.6 splunk, this error appears for each root search:  "This object has no explicit index constraint. Consider adding one for better performance." and editing a constraint results in "In handler 'datamodeledit': Error in 'WT_CloudInfrastructure': Dataset constraints must specify at least one index."   All relevant tags/eventytpes exist.  

As Joe asked, is it possible to disable or fix this problem?

Thanks,

Kris

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...