Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Eventtype are broken in Splunk 8.0.0

lakromani
Builder
‎10-23-2019 10:01 AM

I have several eventtypes that are extracted in various apps. This stopped working after I upgraded to 8.0.0

Its not fully gone, f.eks this works fine. 

index=main eventtype=error

But I do not see any eventtype in the selected or interesting fields.
Also it does not show any eventtype if I do this:

index= main eventtype=error | table _time eventtype _raw

Eventtype field are empty and I can not search for eventtype after table function has been used.

First time I have seen some like this broken after an upgrade. Has been using Splunk in large scale last 8 yeares

EDIT:
Did create a new eventtype from "Settings" -> "Event Types" a test.
Does not show up in field list, but 

index=main eventtype=test

do work fine.

index=main eventtype=test
| table eventtype

Does not show anything

EDIT2:
Same for all my App, so not just one app.

EDIT3:
Downgrade to 7.3.2 went fine. eventtypes works again. So I do suggest not to upgrade before this is fixed.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎10-23-2019 11:25 AM

Can you post your event type definitions? That would help the community help you.

0 Karma
Reply

lakromani
Builder
‎10-23-2019 11:08 PM

Here is one example out of several 100

cat eventtypes.conf
[dns_query]
search = "dns* query from*#"

And this did work fine until upgrade. Have you testet 8.0.0?
As you see in my EDIT, I did create a new one from gui. Works in first search but not in table nor does I see it in the field list.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎10-25-2019 08:13 AM

Have you opened a support case for this? If there is an actual defect in 8.0 that is causing this issue, they can file it with the engineering team.

0 Karma
Reply

arjunpkishore5
Motivator
‎10-23-2019 10:32 AM

I don't have Splunk 8.0 . But can you try doing

index=main | fieldsummary

This would give all the available fields.

I would guess there is a case mismatch since the field names are case-sensitive in the table command and they're not in the base search.

Apologies if this was already attempted and is not the solution!

0 Karma
Reply

lakromani
Builder
‎10-23-2019 10:40 AM

Thanks for the reply.

fieldsummary show eventtype with 0 as a count.

Nothing has changed, just did an upgrade and everything did work well in 7.3.2 and older.
So there are no error in name spelling.

Strange I can search for events with certain eventtypes, but not after table is used and its not showing in the fields list.

0 Karma
Reply

arjunpkishore5
Motivator
‎10-23-2019 11:08 AM

Strange indeed. Sorry that I couldn't be of more help

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...