Dashboards & Visualizations

Why do I get this error: Eventtype "does not exist or is disabled" when I open my dashboard?

Builder

I have a dashboard that runs entirely off of AIDE file integrity events in the Change Analysis data model.

When the dashboard opens, I see two messages complaining that Eventtype 'XXXX' does not exist or is disabled.

But the two event types the error message are referencing are for a completely different sourcetype. The two event types it is complaining about did exist at one time and have been deleted.

No other dashboards in the same app show this error message.

Any ideas?

0 Karma
1 Solution

Influencer

I would look at the search that is happening for panel(s) that are throwing the error message... Are they searching for the eventtype or are they searching by tag? If searching by tag, is there a tag object applying the label to the named eventtype still (even though the eventtype itself was deleted)?

(As you mentioned the Change Analysis Data Model, is there a tag on that eventtype to change, audit, endpoint, network, and/or account per the CIM documentation )

View solution in original post

0 Karma

Path Finder

I have dashboard for which users are getting this error -
that “ Eventtype “msDashboard_Name” does not exist or is disabled”

Please let me know if this is some kind of permission error or what ?

0 Karma

Influencer

I would look at the search that is happening for panel(s) that are throwing the error message... Are they searching for the eventtype or are they searching by tag? If searching by tag, is there a tag object applying the label to the named eventtype still (even though the eventtype itself was deleted)?

(As you mentioned the Change Analysis Data Model, is there a tag on that eventtype to change, audit, endpoint, network, and/or account per the CIM documentation )

View solution in original post

0 Karma

Builder

Four of the searches are tstats searches. One search goes on raw events.

That search is: index="fim" sourcetype="aide" tag="change" | table ...

Running each one of of those searches in the search window doesn't throw the error.

The dashboards are built with SideView Utils, so maybe it's doing something weird behind the scenes. Removing the tag="change" from the search and using other terms to achieve the same result solved the problem.

Is there some way to purge deleted event types from Splunk's "memory"?

0 Karma

Ultra Champion

If you're not getting the errors in a normal search window: is that in the same app context as the dashboard? Could be that some eventtype is not shared globally and as a result not available in the app where that dashboard sits?

0 Karma

Path Finder

eventtype is shared globally and dashboard sits in search app, still I am getting same error.
eventtype is created in different app and dashboard in different.

0 Karma

Influencer

So tags, like event types are a type of knowledge object and can be created and managed in the UI through the settings menu or through tags.conf files.

Some useful docs: https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Defineandusetags

https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/CurateSplunkknowledgewithManager

https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Tagsconf

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!