Percent complete for data models

awmorris · ‎12-05-2018

If a an accelerated data model is 80% complete, what does that ACTUALLY mean? Does it mean I have 80% of the events? 80% of the time? 80% of the data?

Almost half my data models are not keeping up at even close to 100% but i can't figure out what is actually "missing" from the data models.

awmorris · ‎12-11-2018

I'll refine my question to try to drive out the answer I need... can someone give me a SPL formula I can use to self calculate the percent complete. If I can get the formula, that will tell me the information I am trying to discover. My problem is my data model is at 55% complete and heading south every day.

gjanders · ‎12-17-2018

I have a couple of dashboards in Alerts for Splunk Admins for this purpose, git links here and here

Do they help? As you can see they are based on a conf presentation that is worth watching!

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

tom_frotscher · ‎12-06-2018

Hi,

i do not know the exact definition of this field. But for my experience, it says that in your case 80% of your configured summary range is accelerated (for example 32 out of 40 days).

If this value is not progressing, you might have to many running searches. The data model acceleration is driven by scheduled searches in the background. Can you check the management console for skipped scheduled searches?

Greetings,

Tom

awmorris · ‎12-11-2018

Thanks but that's not it. I have events for each of the 30 days in the data model.

Percent complete for data models

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk