Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Data Model Acceleration with multiple root events

qjvtenkroode
Explorer
‎06-30-2014 11:12 PM

So after some fiddling with Data Models in Splunk 6.1.1, I created a really simple one which uses the internal indexes. It is based on two root events to start: Internal (constraint: index=_internal) and Audit (constraint: index=_audit). Internal has some child objects:

alt text

The model is being accelerated with a timeframe of 1 month. But when opening Pivot and selecting the first root event (Internal) the model returns 0

alt text

While the second root event (Audit) still works fine.

When taking a look at debug logging for the DataModel component, somehow the second root object is accelerated (which conflicts with the documentation stating only the first root event object is accelerated). On top of this the first root event object doesn't do anything anymore.

alt text

Once acceleration on the model is turned off both root event objects work perfectly. Removing the second root event object and then accelerating the model also keeps the model working.

Why is Splunk trying to accelerate the second root event instead of the first? And why does this completely break the first root object, isn't Pivot supposed to fill up the missing frames with raw data?

0 Karma
Reply

lrod99
New Member
‎03-27-2018 03:07 PM

Acceleration has restrictions, check this out....

https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Aboutdatamodels

To accelerate a data model, it must contain at least one root event dataset, or one root search dataset that only uses streaming commands. Acceleration only affects these dataset types and datasets that are children of those root datasets. You cannot accelerate root search datasets that use nonstreaming commands (including transforming commands), root transaction datasets, and children of those datasets. Data models can contain a mixture of accelerated and unaccelerated datasets.

0 Karma
Reply

sibbsnb
Path Finder
‎03-20-2015 03:34 AM

Don't create multiple Root Events in a model so you don't give a chance to Splunk to mess up 🙂

0 Karma
Reply

Rocket66
Communicator
‎07-01-2014 06:00 AM

Maybe the order is done alphabetic ascending, and not chronological/hierarchical?

0 Karma
Reply

Rocket66
Communicator
‎07-01-2014 08:26 AM

OK, this is weird - not the first bad case regarding datamodels .... open a ticket @ splunk!

0 Karma
Reply

qjvtenkroode
Explorer
‎07-01-2014 08:18 AM

Sadly enough this is not the case, when I use another name for the root event (in this case I tried this with the name "Whatever", which should be one of the last ones if done alphabetically) the same thing occurs.

The worst part is this even happens in the SAMPLE data models which are there by default. Adding a second root event and accelerating makes the second root event the accelerated one, breaks the first root event while any other root events (e.g. the third, fourth and so on) still work but won't benefit data model acceleration except for ad-hoc acceleration.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...