All Apps and Add-ons

In splunk version - 8.0 not able to add eventtypes or tags in datamodel constraints

sivaranjiniG
Path Finder

I have created eventtype using splunk inernal index and trying to use that in datamodel as a constraints of a dataset

i am getting below error:
In handler 'datamodeledit': Error in 'test': Dataset constraints must specify at least one index. (test is my dataset name)

Same is working in 7.0 version is that got changed in new version splunk?

Tags (1)
0 Karma

jadoonengr
Engager

Instead of the original command:
sourcetype=access_* action=purchase

The following command worked for me:
index=main sourcetype=access_* action=purchase,Write index=main in the start of the command. The below command works for me:
index=main sourcetype=access_* action=purchase

instead of the original one:
sourcetype=access_* action=purchase
,Write index=main in the start of the command. then it works for me.

codebuilder
SplunkTrust
SplunkTrust

If the example you gave above is what you implemented, then your syntax is off.
You can use event types as a root event constraint, but you define it with "eventtype=test", which must have been declared previously.

I tried your example and had no issues. See attached pics.

alt text
alt text

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

sivaranjiniG
Path Finder

Is it Splunk version 8.x???

I am not able to use eventtype

Still getting this error In handler 'datamodeledit': Error in 'test': Dataset constraints must specify at least one index.

nickhills
Ultra Champion

Can you provide your contraints for the root event dataset?
Did you specify index=_internal as part of the constraint?

If my comment helps, please give it a thumbs up!
0 Karma

sivaranjiniG
Path Finder

i have created eventtype say for ex:

eventtype_name = "index = _internal"

in the data model constraints i gave eventtype_name

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...