Splunk Enterprise Security

Why are the Data Models not building?

mcxrisley08
Path Finder

I have recently rebuilt our server that hosts the Enterprise Security app here and I am having trouble with some of the Data Models not building. I have tried stop and restarting the acceleration of the models and they all still get stuck at building. Does anyone have any ideas why this may be?

Labels (2)
0 Karma
1 Solution

mcxrisley08
Path Finder

UPDATE: I finally fixed the issue with my data models. After doing some troubleshooting I determined that the data was not normalizing, so I downloaded some add-ons and the data models started building and were searchable within a few minutes.

View solution in original post

mcxrisley08
Path Finder

UPDATE: I finally fixed the issue with my data models. After doing some troubleshooting I determined that the data was not normalizing, so I downloaded some add-ons and the data models started building and were searchable within a few minutes.

mxg142
Explorer

What add-ons did you specifically download? I am experiencing the same thing so additional context as to what/why this is occurring and what you downloaded to fix the issue would be helpful.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@mcxrisley08 If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mcxrisley08
Path Finder

UPDATE: I still have not fixed this issue but have noticed that whenever I run a search for the tags associated with the data models that are not building, I get 0 results. So I created one of the tags to see if this would fix this issue. The search found the events but matched 0 of 1,879,456 events. Maybe the tags not existing or being able to find the data could be associated with the data models not building?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...