I'm hoping I can get some help on this. We have the InfoSec app on our Splunk single-server deployment. On the Network Anomalies page, I'm getting the warning "Eventtype 'wg_traffic_allow' does not exist or is disabled."
Here is the search the dashboard is attempting to run.
`infosec-indexes` tag=network tag=communicate
| streamstats current=f last(_time) as next_time by dest
| eval gap = next_time - _time
| stats count, avg(gap) as avg_gap, var(gap) as var_gap by dest src
| search avg_gap<50 count>500
| stats dc(src)
Based on a google search and looking through the results, I was going to check that the eventtype was shared globally. That's when I saw that the eventtype is actually defined as 'wg_traffic_allowed' with an 'ed' at the end. So now my question is where is it even trying to pull that eventtype from? It's not in the search. It seems to be searching for tags not a specific eventtype.
Rather than deleting the Eventtype. Check the permission and see if it is set to global which most are by default. Change it to be within app and the search that runs will not use that Knowledge Object.
There should be a problem on tag settings. Please check network and communicate tag objects. (Settings | Tags | List by tag name), You should see "wg_traffic_allow" there, you can delete or update as "wg_traffic_allowed". This eventtype is not a part of InfoSec app, should be coming from another app.
Both the network and communicate tag objects have eventtype's they are tagging. Both tags have both "wg_traffic_allow" and "wg_traffic_allowed". The eventtype is coming from the Splunk_TA_WatchGuard_Firebox add-on.