Knowledge Management

Eventtype 'windows_account_created' does not exist or is disabled.

sbgoldberg13
Explorer

I've given read permissions for macro, app, eventtype, everything I can think of, to the role and/or everyone. This search keeps failing for all users in the role. It works fine for me as an admin. It even fails with the same message if I add the user to the power role along with the defined role.

event_sources eventtype=windows_account_created

It returns results for just the event_sources macro. But including eventtype windows_account_created shows no results along with:
alt text

I've exhausted any of my ideas. Thoughts?

Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you go to Settings->Event types and set the permissions for windows_account_created to Global, it should fix the problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...