I have several
eventtypes that are extracted in various apps. This stopped working after I upgraded to
Its not fully gone, f.eks this works fine.
But I do not see any
eventtype in the
Also it does not show any
eventtype if I do this:
index= main eventtype=error | table _time eventtype _raw
Eventtype field are empty and I can not search for
table function has been used.
First time I have seen some like this broken after an upgrade. Has been using Splunk in large scale last 8 yeares
Did create a new eventtype from "Settings" -> "Event Types" a test.
Does not show up in field list, but
do work fine.
index=main eventtype=test | table eventtype
Does not show anything
Same for all my App, so not just one app.
Downgrade to 7.3.2 went fine.
eventtypes works again. So I do suggest not to upgrade before this is fixed.
Here is one example out of several 100
cat eventtypes.conf [dns_query] search = "dns* query from*#"
And this did work fine until upgrade. Have you testet 8.0.0?
As you see in my EDIT, I did create a new one from gui. Works in first search but not in table nor does I see it in the field list.
I don't have Splunk 8.0 . But can you try doing
index=main | fieldsummary
This would give all the available fields.
I would guess there is a case mismatch since the field names are case-sensitive in the table command and they're not in the base search.
Apologies if this was already attempted and is not the solution!
Thanks for the reply.
0 as a count.
Nothing has changed, just did an upgrade and everything did work well in 7.3.2 and older.
So there are no error in name spelling.
Strange I can search for events with certain eventtypes, but not after table is used and its not showing in the fields list.