Is there anything I should do before using user defined eventtype in a rest api call?
my username is svc_user_bob (real name changed to protect the innocent)
as svc_user_bob I created the following eventtype
Name:
sam_service.CombinedQueueGroupEgressLogRecord
Description:
eventtype=sam_data ds=service.CombinedQueueGroupEgressLogRecord
All well and good, I can return events of that eventtype.
When I do a rest call via curl
curl -k -u svc_user_bob:myFakePassword https://localhost:8089/services/search/jobs -d search="search eventtype=sam_service.CombinedQueueGroupEgressLogRecord"
I get a SID which in job inspector shows as failed. On looking in the search log I get the following error
12-01-2014 18:00:08.615 WARN StringSearchExpander - sid:1417417038.14 Eventtype 'sam_service.CombinedQueueGroupEgressLogRecord' does not exist or is disabled.
Why?
Other queries run via rest work OK but not this eventtype. I've deleted and created in several times just to make sure it's not a hanging config issue from some old eventtype with the same name.
Turns out the eventtype didn't have sufficient permissions. Changed it to App visible and it works.
Turns out the eventtype didn't have sufficient permissions. Changed it to App visible and it works.
What happens when you use /servicesNS/svc_user_bob/your_app/search/jobs
as the endpoint?
Hi Martin, I'll give that a try. I managed to raise 2 questions at the same time, and had some luck answering it myself under http://answers.splunk.com/answers/200610/why-am-i-getting-error-eventtypedoes-not-exist-or.html
I did try your endpoint and got a list of search jobs.
I found that wrapping the eventtype name in quotes helped me.