- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Getting an error when sharing Data Model summaries...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had been sharing DM summaries successfully between a pair of standalone SHs. However, I started getting the error below for one of the DM summaries being shared. Other DM summaries don't appear to have this same issue. Nothing in datamodels.conf has changed and the source SH still has the same GUID. Anyone else run into this issue? Running 9.0.4 on all instances in this deployment.
Summaries for the data model at the specified source GUID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX do not exist. Verify that it is accelerated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out by looking at search job logs. Looks like the SH that is using the source GUID is parsing out the search using all if it's local knowledge objects. At some point the name of a lookup definition was changed and never updated on this SH's local DM JSON since it wasn't going to be the one generating the summaries. I updated the name of the lookup in the JSON and all is well now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out by looking at search job logs. Looks like the SH that is using the source GUID is parsing out the search using all if it's local knowledge objects. At some point the name of a lookup definition was changed and never updated on this SH's local DM JSON since it wasn't going to be the one generating the summaries. I updated the name of the lookup in the JSON and all is well now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide details on how you did this please? I'm having the same issue, but I'm unsure of what your solution was.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had to look through the search job logs where I noticed there were some errors regarding a lookup that didn't exist in that SH but was being used by the SH running the DM acceleration. I added said lookup and fields to all SHs where I was sharing DMA summaries and the error went away. I'd start by reviewing search job logs and then going over your affected DM(s) to see if there are any lookups being used to populate any fields.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
