Hallo.
Don't know if it's a bug or not, but... SPLUNK 8.2.12...
1. Create a simple EventType for "MYTEST" with tag "MYTEST", with a simple search like "index=_internal source=*splunkd.log"
2. The EventType and Tag are created OK
3. Change the permission to share EventType in App for */RW
4. ALL IS OK
NOW, delete both the objects, System is now empty.
1. ReCreate a simple EventType for "MYTEST" with tag "MYTEST", as before
2. The EventType and Tag are created OK
3. Change the permission to share EventType in App for */RW
4. NOW WE GET "Splunk could not update permissions for resource saved/eventtypes [HTTP 409] [{'type': 'ERROR', 'code': None, 'text': 'Cannot overwrite existing app object'}]"
5. We can only CANCEL and get back, where the EventType is shared in App, BUT WITH NO TAG ASSOCIATED!
5. Now we edit the EventType and add the Tag
6. From now on we have a double Tag and need to leave it so to preserve the shared Tag/EventType
Is this behavious normal??? 🙄🙄🙄
Thanks.
The only way to reset the situation, is to manually edit the
"etc/users/user/app/local/eventtypes.conf & tags.conf"
"etc/apps/app/local/eventtypes.conf & tags.conf"
"etc/apps/app/metadata/local.meta"
and delete the objects there.
And restart the Splunkd. But if you are inside a cluster, it's not much comfortable 😐