Knowledge Management

errors while using unix tags in the search app

Genti
Splunk Employee
Splunk Employee

If i do a search within the unix app such as this: tag="access" i get plenty of results. If i perform the same search within the search app i receive errors of the kind:
1. Unable to find an eventtype DMA_Linux_syslog
2. Unable to find an eventtype CUPS_access_Linux_OSX

Why are these errors coming up?

Tags (4)
1 Solution

Genti
Splunk Employee
Splunk Employee

This is a minor bug that hte developers have been notified on and will probably be fixed very soon.

Note that when the unix app gets installed a flag that is supposed to be set doesnt get. Your default.data in the unix app looks like this: /splunk/etc/apps/unix/metadata more default.meta

[tags]
export = system

[props]
export = system

[transforms]
export = system

[eventtypes]
access = read : [ * ], write : [ admin, power ]

Note that even though the tag stanza is set to be global, the eventtype does not have such a flag. In order to be able to see these eventtypes outside of the unix app, and hence have the search on the "tag=access" work without errors, the following needs to be changed:

[eventtypes]
access = read : [ * ], write : [ admin, power ]
export = system

Then a server restart is needed, and searching should work just fine...

Cheers,
.gz

View solution in original post

0 Karma

Genti
Splunk Employee
Splunk Employee

This is a minor bug that hte developers have been notified on and will probably be fixed very soon.

Note that when the unix app gets installed a flag that is supposed to be set doesnt get. Your default.data in the unix app looks like this: /splunk/etc/apps/unix/metadata more default.meta

[tags]
export = system

[props]
export = system

[transforms]
export = system

[eventtypes]
access = read : [ * ], write : [ admin, power ]

Note that even though the tag stanza is set to be global, the eventtype does not have such a flag. In order to be able to see these eventtypes outside of the unix app, and hence have the search on the "tag=access" work without errors, the following needs to be changed:

[eventtypes]
access = read : [ * ], write : [ admin, power ]
export = system

Then a server restart is needed, and searching should work just fine...

Cheers,
.gz

0 Karma

Genti
Splunk Employee
Splunk Employee

I think though, that the default behavior is supposed to be that if you have access to the os index, you should be able to use the tags from the search app as well as the unix app.
This seems to be the case for the windows app, the default.meta file there is as the unix one "should" be..

0 Karma

Lowell
Super Champion

I guess the other option is to NOT export the tags. I don't know about anyone else, but the default eventtypes bundled in the unix app don't seem to be very thought out to me.

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...