Re: [Error 409 Object Exists] is this a bug?

verbal_666 · ‎11-08-2023

Hallo.
Don't know if it's a bug or not, but... SPLUNK 8.2.12...

1. Create a simple EventType for "MYTEST" with tag "MYTEST", with a simple search like "index=_internal source=*splunkd.log"
2. The EventType and Tag are created OK
3. Change the permission to share EventType in App for */RW
4. ALL IS OK

NOW, delete both the objects, System is now empty.

1. ReCreate a simple EventType for "MYTEST" with tag "MYTEST", as before
2. The EventType and Tag are created OK
3. Change the permission to share EventType in App for */RW
4. NOW WE GET "Splunk could not update permissions for resource saved/eventtypes [HTTP 409] [{'type': 'ERROR', 'code': None, 'text': 'Cannot overwrite existing app object'}]"

5. We can only CANCEL and get back, where the EventType is shared in App, BUT WITH NO TAG ASSOCIATED!

5. Now we edit the EventType and add the Tag
6. From now on we have a double Tag and need to leave it so to preserve the shared Tag/EventType

Is this behavious normal??? 🙄🙄🙄

Thanks.

verbal_666 · ‎11-08-2023

The only way to reset the situation, is to manually edit the

"etc/users/user/app/local/eventtypes.conf & tags.conf"
"etc/apps/app/local/eventtypes.conf & tags.conf"
"etc/apps/app/metadata/local.meta"

and delete the objects there.
And restart the Splunkd. But if you are inside a cluster, it's not much comfortable 😐

[Error 409 Object Exists] is this a bug?

Linux

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle

Are you a member of the Splunk Community?

[Error 409 Object Exists] is this a bug?

Linux

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle