I have two indexers in peer that share 1 index, and 1 data model. Both indexers are configured identically. Both data models are accelerated, and responsive to the '| datamodel' command.
When running a dashboard on our search head that uses the data model, we get the following message;
[indexer_2] The search for datamodel 'abc_123' failed to parse, cannot get indexes to search
When searching normally across peers, there are no errors and both indexers are responsive. When acceleration is disabled, there are no errors. However I would like to keep this feature.
Remove any macro definitions from your data models and expand them. It will work fine after that.
Look at the DM constraints. DMs are picky about the format of the constraints. If there is a macro, it may be hiding a problematic constraint. For instance, you cannot include a subsearch to return a filter.
This is due to a bug that caused eventtypes to no longer be able to use macros. This bug is showing fixed in 6.5.3 for SPL-130614 and SPL-135384 but we can find no releases that show that either SPL-135385 or SPL-135387 are fixed anywhere so if this matters to you, then dogpile onto these JIRAs.
Just hit the same issue with Varonis at a custer 🙂
I fixed this issue on the Malware Datamodel that ships with CIM app by disabling or editing any eventtype tag search that used a macro and tags malware/attack.
That is what I said above. No need to disable anything though, just expand any macros in the data models.
I didn't read eventtype tags from another application as "in the data model". I read it more as macros in the search that populates the data model. Just added some clarification.
I had the same problem, please verify everything from the root search to the constraint by disabling acceleration and doing a preview or copy paste your search in the search bar. There could be some issue in your search, in my case there was an unbalanced ) which was the issue.
My situation was a missing lookup file. After disabling acceleration, selecting Pivot revealed the source of the error.
Remove any macro definitions from your data models and expand them. It will work fine after that.
Hey...Would you be able to explain your statement in bit detail.
i am unaware of what is macro def in datamodel.
Thanks
@dmaislin, I am hitting the same problem but my search didn't use any macro. What could be other causes?