All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In splunk version - 8.0 not able to add eventtypes or tags in datamodel constraints

sivaranjiniG
Path Finder
‎01-28-2020 03:58 AM

I have created eventtype using splunk inernal index and trying to use that in datamodel as a constraints of a dataset

i am getting below error:
In handler 'datamodeledit': Error in 'test': Dataset constraints must specify at least one index. (test is my dataset name)

Same is working in 7.0 version is that got changed in new version splunk?

Tags (1)
0 Karma
Reply

jadoonengr
Engager
‎04-29-2020 01:39 PM

Instead of the original command:
sourcetype=access_* action=purchase

The following command worked for me:
index=main sourcetype=access_* action=purchase,Write index=main in the start of the command. The below command works for me:
index=main sourcetype=access_* action=purchase

instead of the original one:
sourcetype=access_* action=purchase
,Write index=main in the start of the command. then it works for me.

Reply

codebuilder
Influencer
‎02-03-2020 07:36 AM

If the example you gave above is what you implemented, then your syntax is off.
You can use event types as a root event constraint, but you define it with "eventtype=test", which must have been declared previously.

I tried your example and had no issues. See attached pics.

alt text
alt text

----
An upvote would be appreciated and Accept Solution if it helps!
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

sivaranjiniG
Path Finder
‎02-04-2020 10:27 PM

Is it Splunk version 8.x???

I am not able to use eventtype

Still getting this error In handler 'datamodeledit': Error in 'test': Dataset constraints must specify at least one index.

Reply

nickhills
Ultra Champion
‎01-28-2020 04:12 AM

Can you provide your contraints for the root event dataset?
Did you specify index=_internal as part of the constraint?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

sivaranjiniG
Path Finder
‎01-29-2020 09:33 PM

i have created eventtype say for ex:

eventtype_name = "index = _internal"

in the data model constraints i gave eventtype_name

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...