You're missing the point. That's okay.

It does work with summariesonly=f. The issue is with summariesonly=true and the path the data is contained on the indexer.

This does not work:
| tstats summariesonly=true count from datamodel=Network_Traffic.All_Traffic where * by All_Traffic.src

however this does:
| tstats summariesonly=true count from datamodel=Network_Traffic where * by All_Traffic.src

With summariesonly=t, I get nothing. Without summariesonly=t, I get results.

The problem seems to be that when the acceleration searches run, they find no results. And yet | datamodel XXXX search does.

Without summariesonly=t you get results. Well means the datamodel don't have any accelerated data as @493669 mentioned. @responsys_cm can you please let us know the acceleration period and the volume of events for that particular period? As you mentioned above, your data-model is stuck in building state So might be this information helpful to us.

Thanks

summariesonly=t flag, this tells the data model only to look at existing accelerated data (tsidx data) that has been automatically generated by the acceleration and non-summarized data will not be provided

Here is what I see in the logs for the Change Analysis data model:

02-06-2018 17:12:17.529 +0000 INFO  SavedSplunker - savedsearch_id="nobody;Splunk_SA_CIM;_ACCELERATE_DM_Splunk_SA_CIM_Change_Analysis_ACCELERATE_", search_type="datamodel_acceleration", user="nobody", app="Splunk_SA_CIM", savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Change_Analysis_ACCELERATE_", priority=highest, status=success, digest_mode=1, scheduled_time=1517937120, window_time=0, dispatch_time=1517937120, run_time=0.492, result_count=0, alert_actions="", sid="scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD554b34bdbf03a626a_at_1517937120_10599", suppressed=0, thread_id="AlertNotifierWorker-2"

It runs every 5 minutes, but the result count is always zero.

Yet | datamodel Change_Analysis search earliest=-5m@m returns several hundred results.

I have the backfill period set to 1 day and the timeout for the acceleration search is set to 86400 seconds. Parallelization is set to the default of 3.

This search works: | tstats prestats=t count(Malware_Attacks.signature) FROM datamodel="Malware" BY _time span=1d

This does not: | tstats summariesonly =t prestats=t count(Malware_Attacks.signature) FROM datamodel="Malware" BY _time span=1d

They're stuck at "Building" with zero disk space usage.

The datamodels haven't been summarized, likely due to not having matched events to summarize, so searching with summariesonly=true is expected to return zero results.

Have you tried searching the data without summariesonly=true or via datamodel <datamodel name> search to see if it seems like the datamodel actually finds any data?

Using | datamodel bla bla search returns results. As does searching without summariesonly=true and tstats.

We enabled acceleration on these data models a while back, so something else is the issue...

I think the issue is that the backfill value is too high and the searches are timing out before the initial acceleration.

you can search an datamodel without the acceleration built out, which is why the tstats and datamodel commands bring back data. what summary range are you accelerating? are you using Parallel summarization?

For the high volume data sources (tens of millions of daily events), I've tried setting the backfill to only be a day. For the lower volume ones with periodic data, like vulnerability scans, those are set to a week.

But even the data models that have a relatively small amount of data and a modest backfill aren't accelerating...

@responsys_cm I am having the same issue. Any luck for you in fixing this?