Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Eventtype style color only displays while in current session

g038123
Explorer
‎09-01-2016 07:52 AM

I created 3 eventtypes, at creation I chose a different color for each one.
Everything worked fine, colors were displaying correctly as expected for each eventtype and for each tag I associated to the individual eventtypes. I tested this with several searches.
However, after logging out of Splunk and then back in the colors no longer displayed for any user. Permissions were set to global for all 3 eventtypes.

I tested it again by creating a new eventtype and the same thing happened.

I checked the eventtypes.conf and found the color wasn't set. I manually added each color to the eventtypes.conf in etc/app and restarted but no go, still no colors displaying.

I then moved the eventtypes.conf to system/local to see if that would work but again no luck.

Can't figure out why the colors aren't displaying, hopefully, someone can help with this.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎09-01-2016 02:36 PM

You may have more than one eventtype that applies to your event that is stepping on your color. As a test, I created an eventtype named test with the following search and set the color to green:

index=_internal sourcetype=splunkd earliest=-10m@m latest=now

Events that match the "test" eventtype only, show up as green (even after logging out and back in). Events that match "test" and another eventtype do not have a color. So try running a search like the following to see if you have more than one eventtype for your desired events:

eventtype=test | stats count by eventtype
0 Karma
Reply

g038123
Explorer
‎09-02-2016 06:50 AM

I ran a search individually for all 3 of my eventtypes, per jconger's request. In each case, I got only one eventtype for the events returned. I did get multiple tags for each one, not sure if that would have the same effect or not but thought I'd mention it.

Not sure if this complicated things, I went ahead and deleted two of the eventtypes to see if the remaining one would show color again. That did not have an effect. I then created a new eventtype, named differently but using a slightly different search query. It worked, the color displayed as expected but only for that new eventtype. Then I logged out and back in and again no colors display.

Seems very strange, any other thoughts?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...