Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Eventtype 'wg_traffic_allow' does not exist or is disabled.

AJSCSA
Loves-to-Learn Lots
‎01-13-2021 02:36 PM

Hello Everyone,

I'm hoping I can get some help on this.  We have the InfoSec app on our Splunk single-server deployment.  On the Network Anomalies page, I'm getting the warning "Eventtype 'wg_traffic_allow' does not exist or is disabled."

Here is the search the dashboard is attempting to run.

 

`infosec-indexes` tag=network tag=communicate
| streamstats current=f last(_time) as next_time by dest 
| eval gap = next_time - _time 
| stats count, avg(gap) as avg_gap, var(gap) as var_gap by dest src 
| search avg_gap<50 count>500 
| stats dc(src)

 

Based on a google search and looking through the results, I was going to check that the eventtype was shared globally.  That's when I saw that the eventtype is actually defined as  'wg_traffic_allowed' with an 'ed' at the end.  So now my question is where is it even trying to pull that eventtype from?  It's not in the search.  It seems to be searching for tags not a specific eventtype.

Labels (1)
Labels
0 Karma
Reply

haliakbar_splun
Splunk Employee
Splunk Employee
‎01-14-2021 07:00 PM

Rather than deleting the Eventtype.  Check the permission and see if it is set to global which most are by default.  Change it to be within app and the search that runs will not use that Knowledge Object.  

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-14-2021 03:11 PM

I checked the Splunk_TA_WatchGuard_Firebox add-on and in default configuration tags are disabled. That is why you are getting warning.

[eventtype=wg_traffic_allow]
communicate = disabled
network = disabled

 You can safely delete these settings from apps default/tags.conf file to prevent this warning.

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-14-2021 01:53 PM

Hi @AJSCSA,

There should be a problem on tag settings. Please check network and communicate tag objects. (Settings | Tags | List by tag name), You should see "wg_traffic_allow" there, you can delete or update as "wg_traffic_allowed". This eventtype is not a part of InfoSec app, should be coming from another app.  

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

AJSCSA
Loves-to-Learn Lots
‎01-14-2021 02:39 PM

Both the network and communicate tag objects have eventtype's  they are tagging.  Both tags have both "wg_traffic_allow" and "wg_traffic_allowed".  The eventtype is coming from the Splunk_TA_WatchGuard_Firebox add-on.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...