Splunk Search

Accelerating data model with dynamic lookup fields

lianjunj
Explorer

Hi,
I'm using 6.1.x and have built a data model with a dynamic lookup attribute inside. I wonder if I enable the acceleration on this data model, how the dynamic lookup attribute pick up the value change? For example, there is a status attribute with could change from day to day. If the new value is not picked up by the accelerated index, can I schedule the index rebuild by someway so that it refreshes every day?

0 Karma

jlhamlet
Path Finder

Hi

Have you found a solution to this problem ?

Regards,

0 Karma

lianjunj
Explorer

From the doc:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Acceleratedatamodels

"By default Splunk Enterprise automatically rebuilds persistently accelerated data models whenever it finds that those models are outdated. Data models can become outdated when the search stored in the data model configuration in savesearches.conf no longer matches the search for the actual data model. This can happen if the JSON file for an accelerated model is edited on disk without first disabling the model's acceleration.”

That’s almost what I’m looking for. I wonder how can I programmatically make the data model outdated?

0 Karma

lianjunj
Explorer

I could remove the summary file daily based on the cron schedule to force the index rebuild. Will that work?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...