Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Accelerated data model returning partial results when using summariesonly=true

mas
Path Finder
‎04-07-2020 10:10 AM

Hello everybody, I see a strange behaviour with data model acceleration.

I have a data model accelerated over 3 months. According to internal logs, scheduled acceleration searches are not skipped and they complete providing results.

However if I run a tstats search over last month with “summariesonly=true”, I do not get any values back; if I run the same tstats search with “summariesonly=false”, I do get expected results. Again, if I run the tstats search over the last 90 days with "summariesonly=true", I get some values back.

Have you ever faced a similar situation? Could this depend upon the small number of events, thus upon buckets not rolled yet?

Please not that this does not look like a generic "recent data not yet summarised" issue, because:

  • acceleration searches complete with success every 5 minutes;
  • data model summary is 100% built;
  • I am missing data at least from the last month.

Thank you for your support!

0 Karma
Reply

mas
Path Finder
‎04-08-2020 08:13 AM

Hello, some updates.

I focused on a short time window for a specific dataset and I found out that accelerated searches ("tstats", "from datamodel" and "datamodel") return 4 events.

On the other hand, raw searches, built both from datamodel definition and using "| datamodel flat_string", return 11 events in the same time window.

The really strange thing is that the acceleration search, executed on the same time window, returns 11 events. I retrieved the acceleration search with "| datamodel acceleration_search_string" and I executed it with a filter on "nodename=".

It looks like, in some way, summary indexes do not store all the expected data. Acceleration searches run every 5 minutes. Sometimes they are skipped due to concurrency limits, but their execution is later recovered.

Any clues or ideas?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...