I just did an app upgrade for Splunk AD app on Splunk Server 4.3.3. Soon as I did, Splunk AD app fails to function (except search works).
I get a red bar with:
Search operation 'eventtype' is unknown. You might not have permission to run this operation.
SOS says the webservice log errors:
2012-12-03 13:46:35,415 ERROR [50bd1dbb52e54ce10] search:236 - Search operation 'eventtype' is unknown. You might not have permission to run this operation.
Traceback (most recent call last):
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/search.py", line 229, in dispatchJob
job = splunk.search.dispatch(q, sessionKey=cherrypy.session['sessionKey'], **options)
File "/opt/splunk/lib/python2.7/site-packages/splunk/search/init.py", line 282, in dispatch
raise splunk.SearchException, msg['text']
SearchException: Search operation 'eventtype' is unknown. You might not have permission to run this operation.
No clue where to go next, other than revert back to the previous version.
I need some more information to diagnose this.
Once I have that information, we can assist.
I just downloaded the latest to upgrade it from 1.1.3 to 1.1.6. I downloaded it, and used Splunk UI to upgrade the app. It happens soon as I click on Security or Operations from within the Active Directory App. It wont even load the domains or any frames. The app was already functional prior to the upgrade.
I reverted the default folder and restarted Splunk and I'm good for the moment.
The Splunk App for Active Directory is not a straight forward "install it on the search head and you are good" app - the Technology Addons, SA-ldapsearch, macros, lookups and event types all coordinate to provide the information.
There are a bunch of things that can be going wrong here, and they are probably all driven by the fact that there is an upgrade process.
Bring up the Search page in the Splunk App for Active Directory and execute the following search:
Make sure that is bringing back data. If it is, then the rest of the app should work, since you are getting the right things happening. If it isn't, then you are likely going to get the same error as before. Make sure the eventtypes.conf is properly installed and that there is not local copies of the eventtypes.conf.
As another idea, look in your macros.conf and ensure that the domain-selector macro starts with inputlookup - if it starts with eventtype= then thats your issue. The file will be in SplunkforActiveDirectory/local/macros.conf
The search look for eventtype=msad-dc-health gives me results when I run it back 30 days. I have some conf files in the AD/local folder because I customized the indexes and thus the resulting related searches in eventtypes.conf. There didnt seem to be a huge change between the new default and the previous, but I still made a copy of default/eventtypes.conf to local/eventtypes.conf and re-customized the indexes referenced. That didnt seem to make a difference. I did a quick
grep -i "eventtypes =" * -R and no hits.
Since this was just an upgrade of the app, there must be some other changes.
I finally just fixed this by deleting my eventtypes.conf, macros.conf, and savedsearches.conf in my SplunkforActiveDirectory/local folder. Then I copied my eventtypes.conf and macros.conf to local and edited the 'index=' references again and everything started working again.