Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Datamodel accleration status 100%, why do I need allow_old_summaries=t?

MonkeyK
Builder
‎08-26-2019 12:28 PM

I have enabled the Network_Traffic data model with acceleration going back 32 days. After a recent Splunk upgrade to
Splunk: 7.2.6
Splunk ES: 5.2.2

I noticed that my Network Traffic data model count volumes dropped off after going back about 2 weeks, despite an acceleration status of 100% complete. Found that by setting allowoldsummaries=t I could get all of the data.

Tried re-indexing the data model. It seemed to pick up data further back, but still not all of it.
I can check the model with this:

| tstats summariesonly=t allow_old_summaries=t count as DMcountWithOld from datamodel=Network_Traffic.All_Traffic by span=1d _time 
| append [tstats summariesonly=t count as DMcountNoOld from datamodel=Network_Traffic.All_Traffic by span=1d _time ]
| timechart span=1d sum(DMcountWithOld) as DMcountWithOld sum(DMcountNoOld) as DMcountNoOld

and I still see results diverge starting about 2 weeks back
alt text

Any ideas on why the data model acceleration fizzled out?

If it matters, ES is on a 6 search head cluster

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...