Splunk Enterprise

Getting an error when sharing Data Model summaries between standalone Search Heads

armandof
Explorer

I had been sharing DM summaries successfully between a pair of standalone SHs. However, I started getting the error below for one of the DM summaries being shared. Other DM summaries don't appear to have this same issue. Nothing in datamodels.conf has changed and the source SH still has the same GUID. Anyone else run into this issue? Running 9.0.4 on all instances in this deployment.

Summaries for the data model at the specified source GUID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX do not exist. Verify that it is accelerated.

Labels (3)
1 Solution

armandof
Explorer

Figured it out by looking at search job logs. Looks like the SH that is using the source GUID is parsing out the search using all if it's local knowledge objects. At some point the name of a lookup definition was changed and never updated on this SH's local DM JSON since it wasn't going to be the one generating the summaries. I updated the name of the lookup in the JSON and all is well now. 

View solution in original post

armandof
Explorer

Figured it out by looking at search job logs. Looks like the SH that is using the source GUID is parsing out the search using all if it's local knowledge objects. At some point the name of a lookup definition was changed and never updated on this SH's local DM JSON since it wasn't going to be the one generating the summaries. I updated the name of the lookup in the JSON and all is well now. 

wgawhh5hbnht
Communicator

Can you provide details on how you did this please? I'm having the same issue, but I'm unsure of what your solution was.

0 Karma

armandof
Explorer

I had to look through the search job logs where I noticed there were some errors regarding a lookup that didn't exist in that SH but was being used by the SH running the DM acceleration. I added said lookup and fields to all SHs where I was sharing DMA summaries and the error went away. I'd start by reviewing search job logs and then going over your affected DM(s) to see if there are any lookups being used to populate any fields.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...