Knowledge Management

Unable to find an eventtype <eventtype>

Communicator

I recently updated my searchheads and indexers to 4.2. For some reason I get an error on my search heads when I'm trying specific searches:

[splunksysnet02] Unable to find an eventtype ShoppingSite_Errors

splunksysnet02 is my indexer (not search head). Why would I be suddenly getting this message? Is Splunk now looking to indexers for eventtypes? I tried copying my etc/apps/search/local from my search head to indexer but I still get that error.

Tags (1)
0 Karma
1 Solution

Communicator

Looks like some of the eventtypes (and tags) were disabled. I think they were before the 4.2 upgrade but 4.1x didn't really complain? I enabled them and things are working now.

View solution in original post

Communicator

Looks like some of the eventtypes (and tags) were disabled. I think they were before the 4.2 upgrade but 4.1x didn't really complain? I enabled them and things are working now.

View solution in original post

Builder

In distributed search, Splunk will automatically replicate the bundle on your search head down to the indexers, so you do not need to do this manually. This error is likely related to a scheduled search or otherwise which refers to the ShoppingSite_Errors eventtype or there is a tag specified on this eventtype.

For instance:

## tags.conf
[eventtype=ShoppingSite_Errors]
error = enabled
0 Karma

Communicator

There are both. I checked the tar'd bundle and in apps/search/local/{tags.conf,eventtypes.conf} there is reference to ShoppingSite_Errors. So they do exist on the indexer - but I'm still not clear why I'm getting the error that it is unable to find it.

0 Karma