Knowledge Management

Eventtype 'windows_account_created' does not exist or is disabled.

sbgoldberg13
Explorer

I've given read permissions for macro, app, eventtype, everything I can think of, to the role and/or everyone. This search keeps failing for all users in the role. It works fine for me as an admin. It even fails with the same message if I add the user to the power role along with the defined role.

event_sources eventtype=windows_account_created

It returns results for just the event_sources macro. But including eventtype windows_account_created shows no results along with:
alt text

I've exhausted any of my ideas. Thoughts?

Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you go to Settings->Event types and set the permissions for windows_account_created to Global, it should fix the problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...