Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Accelerated data model returning partial results when using summariesonly=true

mas
Path Finder
‎04-07-2020 10:10 AM

Hello everybody, I see a strange behaviour with data model acceleration.

I have a data model accelerated over 3 months. According to internal logs, scheduled acceleration searches are not skipped and they complete providing results.

However if I run a tstats search over last month with “summariesonly=true”, I do not get any values back; if I run the same tstats search with “summariesonly=false”, I do get expected results. Again, if I run the tstats search over the last 90 days with "summariesonly=true", I get some values back.

Have you ever faced a similar situation? Could this depend upon the small number of events, thus upon buckets not rolled yet?

Please not that this does not look like a generic "recent data not yet summarised" issue, because:

  • acceleration searches complete with success every 5 minutes;
  • data model summary is 100% built;
  • I am missing data at least from the last month.

Thank you for your support!

0 Karma
Reply

mas
Path Finder
‎04-08-2020 08:13 AM

Hello, some updates.

I focused on a short time window for a specific dataset and I found out that accelerated searches ("tstats", "from datamodel" and "datamodel") return 4 events.

On the other hand, raw searches, built both from datamodel definition and using "| datamodel flat_string", return 11 events in the same time window.

The really strange thing is that the acceleration search, executed on the same time window, returns 11 events. I retrieved the acceleration search with "| datamodel acceleration_search_string" and I executed it with a filter on "nodename=".

It looks like, in some way, summary indexes do not store all the expected data. Acceleration searches run every 5 minutes. Sometimes they are skipped due to concurrency limits, but their execution is later recovered.

Any clues or ideas?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...