Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting an error when sharing Data Model summaries between standalone Search Heads

armandof
Explorer
‎03-23-2023 01:05 PM

I had been sharing DM summaries successfully between a pair of standalone SHs. However, I started getting the error below for one of the DM summaries being shared. Other DM summaries don't appear to have this same issue. Nothing in datamodels.conf has changed and the source SH still has the same GUID. Anyone else run into this issue? Running 9.0.4 on all instances in this deployment.

Summaries for the data model at the specified source GUID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX do not exist. Verify that it is accelerated.

Labels (3)
Reply
1 Solution
Solved! Jump to solution
Solution

armandof
Explorer
‎03-24-2023 08:13 AM

Figured it out by looking at search job logs. Looks like the SH that is using the source GUID is parsing out the search using all if it's local knowledge objects. At some point the name of a lookup definition was changed and never updated on this SH's local DM JSON since it wasn't going to be the one generating the summaries. I updated the name of the lookup in the JSON and all is well now. 

View solution in original post

Reply
Solved! Jump to solution
Solution

armandof
Explorer
‎03-24-2023 08:13 AM

Figured it out by looking at search job logs. Looks like the SH that is using the source GUID is parsing out the search using all if it's local knowledge objects. At some point the name of a lookup definition was changed and never updated on this SH's local DM JSON since it wasn't going to be the one generating the summaries. I updated the name of the lookup in the JSON and all is well now. 

Reply
Solved! Jump to solution

wgawhh5hbnht
Communicator
‎11-01-2023 08:42 AM

Can you provide details on how you did this please? I'm having the same issue, but I'm unsure of what your solution was.

0 Karma
Reply
Solved! Jump to solution

armandof
Explorer
‎11-01-2023 10:21 AM

I had to look through the search job logs where I noticed there were some errors regarding a lookup that didn't exist in that SH but was being used by the SH running the DM acceleration. I added said lookup and fields to all SHs where I was sharing DMA summaries and the error went away. I'd start by reviewing search job logs and then going over your affected DM(s) to see if there are any lookups being used to populate any fields.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...