Reporting

How can I remove a "tag=error" that mysteriously showed up?

_jgpm_
Communicator

I have no idea how this happened, but one of my savedsearches broke today and it turns out its because my source file was tagged as "error".
alt text

I cannot get rid of it and I can't find my tags.conf file in my \local folder. This source folder is actually set as two tags which is also weird.

More info is that this is affecting more than 18 sources and 100K records.

Somehow my tag::eventtype was set to error for all but one of these issues. I've never used tag::eventtype. I think my index may be messed up.

Should I blow away the index and start over? I don't really want to do that.

Update: I've deleted the tag::Eventtype but it keeps coming back. This is what the tag::eventtype looks like.
alt text

0 Karma
1 Solution

mattymo
Splunk Employee
Splunk Employee

Hi jgpm!

One of the main selling features of splunk is it's schema on the fly, allowing for the creation of knowledge objects like tags and eventtypes at searchtime! Blowing away your index is only really necessary in certain cases, and I am confident this won't be one of them.

The reason it likely popped up out of nowhere, is that an app or TA was installed.

This eventtype is part of the Splunk CIM app. Can you confirm you have this installed? check $SPLUNK_HOME/etc/apps and let us know so we can help you track down the config!

EDIT: updated answer to point future reader to CIM app

- MattyMo

View solution in original post

mattymo
Splunk Employee
Splunk Employee

Hi jgpm!

One of the main selling features of splunk is it's schema on the fly, allowing for the creation of knowledge objects like tags and eventtypes at searchtime! Blowing away your index is only really necessary in certain cases, and I am confident this won't be one of them.

The reason it likely popped up out of nowhere, is that an app or TA was installed.

This eventtype is part of the Splunk CIM app. Can you confirm you have this installed? check $SPLUNK_HOME/etc/apps and let us know so we can help you track down the config!

EDIT: updated answer to point future reader to CIM app

- MattyMo

cmerriman
Super Champion

so you've gone into your event types and deleted the event type called 'err0r'?

0 Karma

_jgpm_
Communicator

So I freaked out a bit early. I did check eventtypes last night and it was empty...but I had to unfilter a few things and I found it and disabled it. It was related to the CIM app which I had installed yesterday as well. I apologize for the unnecessary post.

mattymo
Splunk Employee
Splunk Employee

Don't be sorry! It's a great and necessary learning experience! the post will likely help people in the future!

Glad to see you got it sorted!

- MattyMo
0 Karma

cburgman
Path Finder

Helped me... Thx!

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...