Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Eventtype style color only displays while in current session

g038123
Explorer
‎09-01-2016 07:52 AM

I created 3 eventtypes, at creation I chose a different color for each one.
Everything worked fine, colors were displaying correctly as expected for each eventtype and for each tag I associated to the individual eventtypes. I tested this with several searches.
However, after logging out of Splunk and then back in the colors no longer displayed for any user. Permissions were set to global for all 3 eventtypes.

I tested it again by creating a new eventtype and the same thing happened.

I checked the eventtypes.conf and found the color wasn't set. I manually added each color to the eventtypes.conf in etc/app and restarted but no go, still no colors displaying.

I then moved the eventtypes.conf to system/local to see if that would work but again no luck.

Can't figure out why the colors aren't displaying, hopefully, someone can help with this.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎09-01-2016 02:36 PM

You may have more than one eventtype that applies to your event that is stepping on your color. As a test, I created an eventtype named test with the following search and set the color to green:

index=_internal sourcetype=splunkd earliest=-10m@m latest=now

Events that match the "test" eventtype only, show up as green (even after logging out and back in). Events that match "test" and another eventtype do not have a color. So try running a search like the following to see if you have more than one eventtype for your desired events:

eventtype=test | stats count by eventtype
0 Karma
Reply

g038123
Explorer
‎09-02-2016 06:50 AM

I ran a search individually for all 3 of my eventtypes, per jconger's request. In each case, I got only one eventtype for the events returned. I did get multiple tags for each one, not sure if that would have the same effect or not but thought I'd mention it.

Not sure if this complicated things, I went ahead and deleted two of the eventtypes to see if the remaining one would show color again. That did not have an effect. I then created a new eventtype, named differently but using a slightly different search query. It worked, the color displayed as expected but only for that new eventtype. Then I logged out and back in and again no colors display.

Seems very strange, any other thoughts?

0 Karma
Reply
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...