Sometimes specific events are missing from an accelerated data model. These events can be found with a regular SPL search.
When searching the data model, the events are only returned when the data model is *not* accelerated. Once the acceleration is enabled, the events do not show up any more. Of course, we checked that the DMA's status is "100% completed". Rebuilding the accelerated data model does not help.
What is really strange: it happens that **events are disappearing from the accelerated data model** that showed up just fine mere minutes earlier. I noticed that today when I refreshed a dashboard and some charts suddenly were empty (which led me to investigate this again and post this question).
Here is an example of a search that is not returning all expected events (we have noticed this issue with different datasets in the past, too):
| pivot uberAgent Process_NetworkTargetPerformance
count(Process_NetworkTargetPerformance) as "Event count"
splitrow AppName
filter host is "Client11"
We have seen this issue on various versions of Splunk Enterprise 7.1.x and 7.2.x (including 7.2.1).
↧