Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Eventtype are broken in Splunk 8.0.0

lakromani
Builder
‎10-23-2019 10:01 AM

I have several eventtypes that are extracted in various apps. This stopped working after I upgraded to 8.0.0

Its not fully gone, f.eks this works fine. 

index=main eventtype=error

But I do not see any eventtype in the selected or interesting fields.
Also it does not show any eventtype if I do this:

index= main eventtype=error | table _time eventtype _raw

Eventtype field are empty and I can not search for eventtype after table function has been used.

First time I have seen some like this broken after an upgrade. Has been using Splunk in large scale last 8 yeares

EDIT:
Did create a new eventtype from "Settings" -> "Event Types" a test.
Does not show up in field list, but 

index=main eventtype=test

do work fine.

index=main eventtype=test
| table eventtype

Does not show anything

EDIT2:
Same for all my App, so not just one app.

EDIT3:
Downgrade to 7.3.2 went fine. eventtypes works again. So I do suggest not to upgrade before this is fixed.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎10-23-2019 11:25 AM

Can you post your event type definitions? That would help the community help you.

0 Karma
Reply

lakromani
Builder
‎10-23-2019 11:08 PM

Here is one example out of several 100

cat eventtypes.conf
[dns_query]
search = "dns* query from*#"

And this did work fine until upgrade. Have you testet 8.0.0?
As you see in my EDIT, I did create a new one from gui. Works in first search but not in table nor does I see it in the field list.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎10-25-2019 08:13 AM

Have you opened a support case for this? If there is an actual defect in 8.0 that is causing this issue, they can file it with the engineering team.

0 Karma
Reply

arjunpkishore5
Motivator
‎10-23-2019 10:32 AM

I don't have Splunk 8.0 . But can you try doing

index=main | fieldsummary

This would give all the available fields.

I would guess there is a case mismatch since the field names are case-sensitive in the table command and they're not in the base search.

Apologies if this was already attempted and is not the solution!

0 Karma
Reply

lakromani
Builder
‎10-23-2019 10:40 AM

Thanks for the reply.

fieldsummary show eventtype with 0 as a count.

Nothing has changed, just did an upgrade and everything did work well in 7.3.2 and older.
So there are no error in name spelling.

Strange I can search for events with certain eventtypes, but not after table is used and its not showing in the fields list.

0 Karma
Reply

arjunpkishore5
Motivator
‎10-23-2019 11:08 AM

Strange indeed. Sorry that I couldn't be of more help

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...