I have been pulling my hair out on this one all day.

I have an accelerated data model that has two data sets:

• hostInfo
• networkInfo

They are stand alone root searches. They do happen to share some fields like hostname. When running the searches in a normal splunk search window work perfectly fine. Example:

index=summary_host_info search_name="Host_Info" | fields hostname os cpu

However, only the first data set ever returns results from tstats. I've tested and swapped the two around.

Example of a simple query I've been using to test:

| tstats count("hostInfo.hostname") FROM datamodel="endpoint_info" WHERE nodename="hostInfo"

 There are no required fields, permissions seem fine and the data model summary is 10% built at around 1gb. I can even recreate the same data set and use that as the second one and that second identical data set will not return results.

Edit: I finally found a warning after clicking on "Datasets" at the top and clicking into one specifically:

    Issue occurred with data model 'test.s3jaytest'. Issue: 'Failed to generate dmid' Reason: 'Error in 'DataModelCache': Invalid or unaccelerable root object for datamodel'.
    Failed to parse options. Clearing out read-summary arguments.

What does this mean and how do I fix it? I'm using root searches, not root events.