Is there anything I should do before using user defined eventtype in a rest api call?
my username is svc_user_bob (real name changed to protect the innocent)
as svc_user_bob I created the following eventtype
All well and good, I can return events of that eventtype.
When I do a rest call via curl
curl -k -u svc_user_bob:myFakePassword https://localhost:8089/services/search/jobs -d search="search eventtype=sam_service.CombinedQueueGroupEgressLogRecord"
I get a SID which in job inspector shows as failed. On looking in the search log I get the following error
12-01-2014 18:00:08.615 WARN StringSearchExpander - sid:1417417038.14 Eventtype 'sam_service.CombinedQueueGroupEgressLogRecord' does not exist or is disabled.
Other queries run via rest work OK but not this eventtype. I've deleted and created in several times just to make sure it's not a hanging config issue from some old eventtype with the same name.
Hi Martin, I'll give that a try. I managed to raise 2 questions at the same time, and had some luck answering it myself under http://answers.splunk.com/answers/200610/why-am-i-getting-error-eventtypedoes-not-exist-or.html
I did try your endpoint and got a list of search jobs.
I found that wrapping the eventtype name in quotes helped me.