I have installed the CIM app done all of the event typing and tagging to get my data into the data models relevant to my environment. I have accelerated those data models. It's a clustered environment with six indexers and a single search head.
If I run the tstats command with the summariesonly=t, I always get no results.
I've looked in the internal logs to see if there are any errors or warnings around acceleration or the name of the data model, but all I see are the successful searches that show the execution time and amount of events discovered.
Any ideas on how to troubleshoot this? I'd prefer for my dashboards to run only of the TSIDX data rather than raw events.
Have you checked the status of the acceleration?
Settings -> Data models -> Expand arrow next to the datamodel in question
Under "Acceleration" you should see statistics relevant to the acceleration of this specific datamodel, including percent complete.
The datamodels haven't been summarized, likely due to not having matched events to summarize, so searching with
summariesonly=true is expected to return zero results.
Have you tried searching the data without
summariesonly=true or via
datamodel <datamodel name> search to see if it seems like the datamodel actually finds any data?
Using | datamodel bla bla search returns results. As does searching without summariesonly=true and tstats.
We enabled acceleration on these data models a while back, so something else is the issue...
I think the issue is that the backfill value is too high and the searches are timing out before the initial acceleration.
you can search an datamodel without the acceleration built out, which is why the tstats and datamodel commands bring back data. what summary range are you accelerating? are you using Parallel summarization?
For the high volume data sources (tens of millions of daily events), I've tried setting the backfill to only be a day. For the lower volume ones with periodic data, like vulnerability scans, those are set to a week.
But even the data models that have a relatively small amount of data and a modest backfill aren't accelerating...