Splunk Search
Highlighted

tstats summariesonly=t gets no results on accelerated data models

Builder

I have installed the CIM app done all of the event typing and tagging to get my data into the data models relevant to my environment. I have accelerated those data models. It's a clustered environment with six indexers and a single search head.

If I run the tstats command with the summariesonly=t, I always get no results.

I've looked in the internal logs to see if there are any errors or warnings around acceleration or the name of the data model, but all I see are the successful searches that show the execution time and amount of events discovered.

Any ideas on how to troubleshoot this? I'd prefer for my dashboards to run only of the TSIDX data rather than raw events.

Thx.

Highlighted

Re: tstats summariesonly=t gets no results on accelerated data models

Champion

Have you checked the status of the acceleration?

Settings -> Data models -> Expand arrow next to the datamodel in question

Under "Acceleration" you should see statistics relevant to the acceleration of this specific datamodel, including percent complete.

0 Karma
Highlighted

Re: tstats summariesonly=t gets no results on accelerated data models

Builder

They're stuck at "Building" with zero disk space usage.

0 Karma
Highlighted

Re: tstats summariesonly=t gets no results on accelerated data models

Champion

The datamodels haven't been summarized, likely due to not having matched events to summarize, so searching with summariesonly=true is expected to return zero results.

Have you tried searching the data without summariesonly=true or via datamodel <datamodel name> search to see if it seems like the datamodel actually finds any data?

0 Karma
Highlighted

Re: tstats summariesonly=t gets no results on accelerated data models

Builder

Using | datamodel bla bla search returns results. As does searching without summariesonly=true and tstats.

We enabled acceleration on these data models a while back, so something else is the issue...

0 Karma
Highlighted

Re: tstats summariesonly=t gets no results on accelerated data models

Builder

I think the issue is that the backfill value is too high and the searches are timing out before the initial acceleration.

Highlighted

Re: tstats summariesonly=t gets no results on accelerated data models

Super Champion

you can search an datamodel without the acceleration built out, which is why the tstats and datamodel commands bring back data. what summary range are you accelerating? are you using Parallel summarization?

0 Karma
Highlighted

Re: tstats summariesonly=t gets no results on accelerated data models

Builder

For the high volume data sources (tens of millions of daily events), I've tried setting the backfill to only be a day. For the lower volume ones with periodic data, like vulnerability scans, those are set to a week.

But even the data models that have a relatively small amount of data and a modest backfill aren't accelerating...

0 Karma
Highlighted

Re: tstats summariesonly=t gets no results on accelerated data models

Path Finder

@responsys_cm I am having the same issue. Any luck for you in fixing this?

0 Karma
Highlighted

Re: tstats summariesonly=t gets no results on accelerated data models

Champion

Can you include your search strings for both the working and non-working searches?

0 Karma