Splunk Enterprise

Getting an error when sharing Data Model summaries between standalone Search Heads

armandof
Explorer

I had been sharing DM summaries successfully between a pair of standalone SHs. However, I started getting the error below for one of the DM summaries being shared. Other DM summaries don't appear to have this same issue. Nothing in datamodels.conf has changed and the source SH still has the same GUID. Anyone else run into this issue? Running 9.0.4 on all instances in this deployment.

Summaries for the data model at the specified source GUID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX do not exist. Verify that it is accelerated.

Labels (3)
1 Solution

armandof
Explorer

Figured it out by looking at search job logs. Looks like the SH that is using the source GUID is parsing out the search using all if it's local knowledge objects. At some point the name of a lookup definition was changed and never updated on this SH's local DM JSON since it wasn't going to be the one generating the summaries. I updated the name of the lookup in the JSON and all is well now. 

View solution in original post

armandof
Explorer

Figured it out by looking at search job logs. Looks like the SH that is using the source GUID is parsing out the search using all if it's local knowledge objects. At some point the name of a lookup definition was changed and never updated on this SH's local DM JSON since it wasn't going to be the one generating the summaries. I updated the name of the lookup in the JSON and all is well now. 

wgawhh5hbnht
Communicator

Can you provide details on how you did this please? I'm having the same issue, but I'm unsure of what your solution was.

0 Karma

armandof
Explorer

I had to look through the search job logs where I noticed there were some errors regarding a lookup that didn't exist in that SH but was being used by the SH running the DM acceleration. I added said lookup and fields to all SHs where I was sharing DMA summaries and the error went away. I'd start by reviewing search job logs and then going over your affected DM(s) to see if there are any lookups being used to populate any fields.

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...