I have several eventtypes
that are extracted in various apps. This stopped working after I upgraded to 8.0.0
Its not fully gone, f.eks this works fine.
index=main eventtype=error
But I do not see any eventtype
in the selected
or interesting fields
.
Also it does not show any eventtype
if I do this:
index= main eventtype=error | table _time eventtype _raw
Eventtype
field are empty and I can not search for eventtype
after table
function has been used.
First time I have seen some like this broken after an upgrade. Has been using Splunk in large scale last 8 yeares
EDIT:
Did create a new eventtype from "Settings" -> "Event Types" a test.
Does not show up in field list, but
index=main eventtype=test
do work fine.
index=main eventtype=test
| table eventtype
Does not show anything
EDIT2:
Same for all my App, so not just one app.
EDIT3:
Downgrade to 7.3.2 went fine. eventtypes
works again. So I do suggest not to upgrade before this is fixed.
Can you post your event type definitions? That would help the community help you.
Here is one example out of several 100
cat eventtypes.conf
[dns_query]
search = "dns* query from*#"
And this did work fine until upgrade. Have you testet 8.0.0?
As you see in my EDIT, I did create a new one from gui. Works in first search but not in table nor does I see it in the field list.
Have you opened a support case for this? If there is an actual defect in 8.0 that is causing this issue, they can file it with the engineering team.
I don't have Splunk 8.0 . But can you try doing
index=main | fieldsummary
This would give all the available fields.
I would guess there is a case mismatch since the field names are case-sensitive in the table command and they're not in the base search.
Apologies if this was already attempted and is not the solution!
Thanks for the reply.
fieldsummary
show eventtype
with 0
as a count.
Nothing has changed, just did an upgrade and everything did work well in 7.3.2 and older.
So there are no error in name spelling.
Strange I can search for events with certain eventtypes, but not after table is used and its not showing in the fields list.
Strange indeed. Sorry that I couldn't be of more help