Accelerating data model with dynamic lookup fields

lianjunj · ‎05-20-2014

Hi,
I'm using 6.1.x and have built a data model with a dynamic lookup attribute inside. I wonder if I enable the acceleration on this data model, how the dynamic lookup attribute pick up the value change? For example, there is a status attribute with could change from day to day. If the new value is not picked up by the accelerated index, can I schedule the index rebuild by someway so that it refreshes every day?

jlhamlet · ‎09-15-2014

Hi

Have you found a solution to this problem ?

Regards,

lianjunj · ‎05-21-2014

From the doc:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Acceleratedatamodels

"By default Splunk Enterprise automatically rebuilds persistently accelerated data models whenever it finds that those models are outdated. Data models can become outdated when the search stored in the data model configuration in savesearches.conf no longer matches the search for the actual data model. This can happen if the JSON file for an accelerated model is edited on disk without first disabling the model's acceleration.”

That’s almost what I’m looking for. I wonder how can I programmatically make the data model outdated?

lianjunj · ‎05-20-2014

I could remove the summary file daily based on the cron schedule to force the index rebuild. Will that work?

Accelerating data model with dynamic lookup fields

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector