- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Accelerated Data Model return results from the las...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my implementation I have multiple data sources that I mapped to the CIM Authentication data model using tags and partial field aliasing.
Using a |Datamodel query on the non-accelerated data mode return the proper results across the time range I've set. The problem starts when I choose to accelerated the data model. IT doesn't matter if I will choose 1 day, a month or any other value, the pivot or tstat queries will return results only from the last day/24 hours.
Have anyone experienced such an issue before ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue resolved !
Before i'll proceed with a description of what I did, a kudos goes to this great community and especially this Answer which gave me the ultimate hint.
So, in my implementation I have multiple sources that because of the specific needs communicate highly heterogeneous events to my indexer, which can also include Windows event logs - but not necessarily in the expected source type for the windows TA.
In order to make use of the event codes logic in the Windows TA I have to enable the Windows TA but also do some local automatic lookups in the context of my application.
this caused conflicts which were eventually resolved by simply checking "overwrite field values" in the local lookups I did.
In addition what helped me get to this resolution is the use of the tstat summariesonly=t statement that allowed me to understand what am I really getting only from the tsidx files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another thing to look after when wishing to accelerate Data Models is that the data model and all dependencies are shared globally:
http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Acceleratedatamodels
You can only accelerate data models that you have shared to all users of an app or shared globally to all users of your Splunk deployment. You cannot accelerate data models that are private. This prevents individual users from taking up disk space with private data model acceleration summaries.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue resolved !
Before i'll proceed with a description of what I did, a kudos goes to this great community and especially this Answer which gave me the ultimate hint.
So, in my implementation I have multiple sources that because of the specific needs communicate highly heterogeneous events to my indexer, which can also include Windows event logs - but not necessarily in the expected source type for the windows TA.
In order to make use of the event codes logic in the Windows TA I have to enable the Windows TA but also do some local automatic lookups in the context of my application.
this caused conflicts which were eventually resolved by simply checking "overwrite field values" in the local lookups I did.
In addition what helped me get to this resolution is the use of the tstat summariesonly=t statement that allowed me to understand what am I really getting only from the tsidx files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@efika, please accept the answer to help future readers.
If this reply helps you, Karma would be appreciated.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
