Splunk Enterprise

Data Model Does Not Show Any Events

Armando
Explorer

My Network_Traffic data model was working just fine this morning. I stopped the acceleration so that I could add more fields to the All_Traffic data set. It seems that after I did that, it no longer captures any events. I even tried replacing the original constraint of "(`cim_Network_Traffic_indexes`) tag=network tag=communicate" with "index=*" and I still don't get any events during the preview. I tried rebuilding the summaries and that didn't seem to fix the issue. I've also restarted the Splunk Enterprise instance and the server itself with no luck. Lastly, I cloned the data model just for fun but  I still get the same behavior. Has anyone experienced this? If so, were you able to resolve the issue? 

Labels (1)
0 Karma
1 Solution

Armando
Explorer

This issue was caused by my own doing. The new fields I added were created as required. I believe the reason it seemed to work OK at first must be that all my initially sampled events just so happened to all include those new required fields. Fields were deleted, recreated as optional, and the data model summary has been rebuilt. Everything is working as intended now.

View solution in original post

0 Karma

Armando
Explorer

This issue was caused by my own doing. The new fields I added were created as required. I believe the reason it seemed to work OK at first must be that all my initially sampled events just so happened to all include those new required fields. Fields were deleted, recreated as optional, and the data model summary has been rebuilt. Everything is working as intended now.

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...