Knowledge Management

Eventtype 'wg_traffic_allow' does not exist or is disabled.

AJSCSA
Loves-to-Learn Lots

Hello Everyone,

I'm hoping I can get some help on this.  We have the InfoSec app on our Splunk single-server deployment.  On the Network Anomalies page, I'm getting the warning "Eventtype 'wg_traffic_allow' does not exist or is disabled."

Here is the search the dashboard is attempting to run.

 

`infosec-indexes` tag=network tag=communicate
| streamstats current=f last(_time) as next_time by dest 
| eval gap = next_time - _time 
| stats count, avg(gap) as avg_gap, var(gap) as var_gap by dest src 
| search avg_gap<50 count>500 
| stats dc(src)

 

Based on a google search and looking through the results, I was going to check that the eventtype was shared globally.  That's when I saw that the eventtype is actually defined as  'wg_traffic_allowed' with an 'ed' at the end.  So now my question is where is it even trying to pull that eventtype from?  It's not in the search.  It seems to be searching for tags not a specific eventtype.

Labels (1)
0 Karma

haliakbar_splun
Splunk Employee
Splunk Employee

Rather than deleting the Eventtype.  Check the permission and see if it is set to global which most are by default.  Change it to be within app and the search that runs will not use that Knowledge Object.  

0 Karma

scelikok
SplunkTrust
SplunkTrust

I checked the Splunk_TA_WatchGuard_Firebox add-on and in default configuration tags are disabled. That is why you are getting warning.

[eventtype=wg_traffic_allow]
communicate = disabled
network = disabled

 You can safely delete these settings from apps default/tags.conf file to prevent this warning.

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @AJSCSA,

There should be a problem on tag settings. Please check network and communicate tag objects. (Settings | Tags | List by tag name), You should see "wg_traffic_allow" there, you can delete or update as "wg_traffic_allowed". This eventtype is not a part of InfoSec app, should be coming from another app.  

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

AJSCSA
Loves-to-Learn Lots

Both the network and communicate tag objects have eventtype's  they are tagging.  Both tags have both "wg_traffic_allow" and "wg_traffic_allowed".  The eventtype is coming from the Splunk_TA_WatchGuard_Firebox add-on.

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...