All Apps and Add-ons

Splunk ActiveDirectory: Search operation 'eventtype' is unknown.

BP9906
Builder

I just did an app upgrade for Splunk AD app on Splunk Server 4.3.3. Soon as I did, Splunk AD app fails to function (except search works).

I get a red bar with:
Search operation 'eventtype' is unknown. You might not have permission to run this operation.

SOS says the webservice log errors:

2012-12-03 13:46:35,415 ERROR [50bd1dbb52e54ce10] search:236 - Search operation 'eventtype' is unknown. You might not have permission to run this operation.
Traceback (most recent call last):
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/search.py", line 229, in dispatchJob
job = splunk.search.dispatch(q, sessionKey=cherrypy.session['sessionKey'], **options)
File "/opt/splunk/lib/python2.7/site-packages/splunk/search/init.py", line 282, in dispatch
raise splunk.SearchException, msg['text']
SearchException: Search operation 'eventtype' is unknown. You might not have permission to run this operation.

No clue where to go next, other than revert back to the previous version.

Any suggestions?

Thank you!

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

The Splunk App for Active Directory is not a straight forward "install it on the search head and you are good" app - the Technology Addons, SA-ldapsearch, macros, lookups and event types all coordinate to provide the information.

There are a bunch of things that can be going wrong here, and they are probably all driven by the fact that there is an upgrade process.

Bring up the Search page in the Splunk App for Active Directory and execute the following search:

eventtype=msad-dc-health

Make sure that is bringing back data. If it is, then the rest of the app should work, since you are getting the right things happening. If it isn't, then you are likely going to get the same error as before. Make sure the eventtypes.conf is properly installed and that there is not local copies of the eventtypes.conf.

0 Karma

BP9906
Builder

I finally just fixed this by deleting my eventtypes.conf, macros.conf, and savedsearches.conf in my Splunk_for_ActiveDirectory/local folder. Then I copied my eventtypes.conf and macros.conf to local and edited the 'index=' references again and everything started working again.

0 Karma

BP9906
Builder

The search look for eventtype=msad-dc-health gives me results when I run it back 30 days. I have some conf files in the AD/local folder because I customized the indexes and thus the resulting related searches in eventtypes.conf. There didnt seem to be a huge change between the new default and the previous, but I still made a copy of default/eventtypes.conf to local/eventtypes.conf and re-customized the indexes referenced. That didnt seem to make a difference. I did a quick grep -i "eventtypes =" * -R and no hits.
Since this was just an upgrade of the app, there must be some other changes.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

As another idea, look in your macros.conf and ensure that the domain-selector macro starts with inputlookup - if it starts with eventtype= then thats your issue. The file will be in Splunk_for_ActiveDirectory/local/macros.conf

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

I need some more information to diagnose this.

  1. What version of Splunk App for Active Directory are you running?
  2. What page (URL) is this occurring on?
  3. Is there a panel on that page that is misbehaving? If so, which one?
  4. Have you followed the instructions on http://docs.splunk.com in configuring the app?

Once I have that information, we can assist.

0 Karma

BP9906
Builder

I just downloaded the latest to upgrade it from 1.1.3 to 1.1.6. I downloaded it, and used Splunk UI to upgrade the app. It happens soon as I click on Security or Operations from within the Active Directory App. It wont even load the domains or any frames. The app was already functional prior to the upgrade.

Examples:
https://splunk/en-US/app/Splunk_for_ActiveDirectory/sec_logon_fail
https://splunk/en-US/app/Splunk_for_ActiveDirectory/ops_topology

I reverted the default folder and restarted Splunk and I'm good for the moment.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...