https://community.splunk.com/t5/Monitoring-Splunk/All-eventtypes-in-eventtypes-conf-not-found-in-btool-search/m-p/351627#M3083 <P>Have a try by </P> <PRE><CODE>$SPLUNK_HOME/bin/splunk cmd btool eventtypes list --debug &gt; /tmp/eventtypes.btool </CODE></PRE> <P>and then physically check in the output file to see if anything missing.</P> Fri, 03 Nov 2017 23:03:49 GMT koshyk 2017-11-03T23:03:49Z https://community.splunk.com/t5/Monitoring-Splunk/All-eventtypes-in-eventtypes-conf-not-found-in-btool-search/m-p/351626#M3082 <P>This is my local/eventtypes.conf file</P> <PRE><CODE>[juniper_sslvpn_auth] search = sourcetype=juniper_sslvpn_mag "authentication successful" OR "authentication failed" [juniper_sslvpn_authz] priority = 6 search = sourcetype=juniper_sslvpn_mag "WebRequest Completed" OR "Closed Connection" [juniper_sslvpn_auth_failed] priority = 5 search = index=vpn sourcetype=juniper:sslvpn "Primary authentication failed" [juniper_sslvpn_auth_successful] priority = 5 search = index=vpn sourcetype=juniper:sslvpn "Primary authentication successful" [juniper_sslvpn_webrequest] priority = 5 search = index=vpn sourcetype=juniper:sslvpn "WebRequest" [juniper_sslvpn_webrequest_sso_successful] priority = 5 search = index=vpn sourcetype=juniper:sslvpn "Web SSO: Authentication successful" </CODE></PRE> <P>The juniper_sslvpn_mag eventtypes are disabled. When I run</P> <PRE><CODE>/apps/splunk/bin/splunk btool eventtypes list | less </CODE></PRE> <P>and grep for juniper, all I get is </P> <PRE><CODE>[juniper_sslvpn_auth_failed] color = description = disabled = 0 priority = 5 search = index=vpn sourcetype=juniper:sslvpn "Primary authentication failed" tags = [juniper_sslvpn_auth_successful] color = description = disabled = 0 priority = 5 search = index=vpn sourcetype=juniper:sslvpn "Primary authentication successful" tags = [juniper_sslvpn_webrequest] color = description = disabled = 0 priority = 5 search = index=vpn sourcetype=juniper:sslvpn "WebRequest" tags = </CODE></PRE> <P>I can't see any reason why the final stanza in local/eventtypes.conf is not found by btool. Any ideas?</P> <P>TIA,<BR /> Joe</P> Tue, 29 Sep 2020 16:37:45 GMT https://community.splunk.com/t5/Monitoring-Splunk/All-eventtypes-in-eventtypes-conf-not-found-in-btool-search/m-p/351626#M3082 jwhughes58 2020-09-29T16:37:45Z https://community.splunk.com/t5/Monitoring-Splunk/All-eventtypes-in-eventtypes-conf-not-found-in-btool-search/m-p/351627#M3083 <P>Have a try by </P> <PRE><CODE>$SPLUNK_HOME/bin/splunk cmd btool eventtypes list --debug &gt; /tmp/eventtypes.btool </CODE></PRE> <P>and then physically check in the output file to see if anything missing.</P> Fri, 03 Nov 2017 23:03:49 GMT https://community.splunk.com/t5/Monitoring-Splunk/All-eventtypes-in-eventtypes-conf-not-found-in-btool-search/m-p/351627#M3083 koshyk 2017-11-03T23:03:49Z https://community.splunk.com/t5/Monitoring-Splunk/All-eventtypes-in-eventtypes-conf-not-found-in-btool-search/m-p/351628#M3084 <P>Hi Koshyk,</P> <P>The debug option helped me figure out what is going on with the eventtypes.conf. I have a precedence issue I have to figure out. Another day of learning. Nice to know about the --debug option.</P> <P>Joe</P> Fri, 03 Nov 2017 23:18:48 GMT https://community.splunk.com/t5/Monitoring-Splunk/All-eventtypes-in-eventtypes-conf-not-found-in-btool-search/m-p/351628#M3084 jwhughes58 2017-11-03T23:18:48Z https://community.splunk.com/t5/Monitoring-Splunk/All-eventtypes-in-eventtypes-conf-not-found-in-btool-search/m-p/351629#M3085 <P>thanks mate. I've put it an answer , if you can please upvote/accept it.</P> Sat, 04 Nov 2017 09:12:47 GMT https://community.splunk.com/t5/Monitoring-Splunk/All-eventtypes-in-eventtypes-conf-not-found-in-btool-search/m-p/351629#M3085 koshyk 2017-11-04T09:12:47Z