Splunk Enterprise

Data Model Does Not Show Any Events

Armando
Explorer

My Network_Traffic data model was working just fine this morning. I stopped the acceleration so that I could add more fields to the All_Traffic data set. It seems that after I did that, it no longer captures any events. I even tried replacing the original constraint of "(`cim_Network_Traffic_indexes`) tag=network tag=communicate" with "index=*" and I still don't get any events during the preview. I tried rebuilding the summaries and that didn't seem to fix the issue. I've also restarted the Splunk Enterprise instance and the server itself with no luck. Lastly, I cloned the data model just for fun but  I still get the same behavior. Has anyone experienced this? If so, were you able to resolve the issue? 

Labels (1)
0 Karma
1 Solution

Armando
Explorer

This issue was caused by my own doing. The new fields I added were created as required. I believe the reason it seemed to work OK at first must be that all my initially sampled events just so happened to all include those new required fields. Fields were deleted, recreated as optional, and the data model summary has been rebuilt. Everything is working as intended now.

View solution in original post

0 Karma

Armando
Explorer

This issue was caused by my own doing. The new fields I added were created as required. I believe the reason it seemed to work OK at first must be that all my initially sampled events just so happened to all include those new required fields. Fields were deleted, recreated as optional, and the data model summary has been rebuilt. Everything is working as intended now.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...