Knowledge Management

Why are Event Type tags not being applied to matching events?

responsys_cm
Builder

I have a very straightforward Event Type: index="windows" sourcetype="WinHostMon" source="service". I want it to apply the tags "service" and "report".

I have created the Event Type and given everyone read permissions in all apps and only the admin write permissions. If I paste the Event Type search into the search bar, I see the events that I want. I can see the field "eventtype=windows_service" in the field bar. But when I click on the "tag" or "tag:eventtype" fields, I am not seeing that "service" or "report" are being applied to the events.

I feel like I'm taking crazy pills...

DalJeanis
SplunkTrust
SplunkTrust

There are two different items in your question: eventtype, and tags.

EVENT TYPES

First, just try a search

index="windows" eventtype=windows_service | head 5

You should see 5 events. This means your eventtype code is working. If so, then look at the next thing, if not, then revisit your eventtype definitions.

TAGS

Next, try the same search using the tag instead.

index="windows" tag=service | head 5

You should still see 5 events, but perhaps not the same five, though. This means your tag code is working. If not, then revisit your tag definitions.

0 Karma

responsys_cm
Builder

eventtype=windows_service | head 5 returns five events as expected. But the tags associated with that Event Type are not being applied. Searching on "tag=service tag=report" only returns events for different Event Types...

0 Karma

gilbxrtx_7
New Member

I am facing the same issue as you.. can't figure out what's wrong

0 Karma

kmccririe_splun
Splunk Employee
Splunk Employee

when searching for tag=service or tag=report, the events from the EventType don't show up?

Or another way to ask this when you have eventtype=windows_service in your search and you see the events, if you expand an event does it show a tag field with the tags you mentioned?

Is this a single instance Splunk server? Where are you making the changes?

0 Karma

responsys_cm
Builder

When searching on "tag=service AND tag=report", events do not show up.

When searching on eventtype="windows_service", events do not show up.

When searching on the windows_service Event Type criteria (index=windows sourcetype=WinHostMon source=service), events show up but without the windows_service eventtype.

I do see the windows_hostmon event type is successfully applying the "os" and "windows" tags to events, but mine isn't working. And I have another Event Type called windows_process that is nearly identical and is working perfectly.

I'm creating the Event Types on an ES search head that searches a 3 node index cluster.

0 Karma

responsys_cm
Builder

I'm noticing that other Event Types and their associated tags are not being applied to matching events.

How do I troubleshoot this?

0 Karma

kmccririe_splun
Splunk Employee
Splunk Employee

I am thinking it might be a permissions issue. However the fact you can manually search and see the events should discount that. I am looking into how to troubleshoot this I will post any findings I have.

0 Karma