Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I remove a "tag=error" that mysteriously showed up?

_jgpm_
Communicator
‎01-12-2017 02:05 PM

I have no idea how this happened, but one of my savedsearches broke today and it turns out its because my source file was tagged as "error".
alt text

I cannot get rid of it and I can't find my tags.conf file in my \local folder. This source folder is actually set as two tags which is also weird.

More info is that this is affecting more than 18 sources and 100K records.

Somehow my tag::eventtype was set to error for all but one of these issues. I've never used tag::eventtype. I think my index may be messed up.

Should I blow away the index and start over? I don't really want to do that.

Update: I've deleted the tag::Eventtype but it keeps coming back. This is what the tag::eventtype looks like.
alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎01-13-2017 05:17 AM

Hi jgpm!

One of the main selling features of splunk is it's schema on the fly, allowing for the creation of knowledge objects like tags and eventtypes at searchtime! Blowing away your index is only really necessary in certain cases, and I am confident this won't be one of them.

The reason it likely popped up out of nowhere, is that an app or TA was installed.

This eventtype is part of the Splunk CIM app. Can you confirm you have this installed? check $SPLUNK_HOME/etc/apps and let us know so we can help you track down the config!

EDIT: updated answer to point future reader to CIM app

- MattyMo

View solution in original post

Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎01-13-2017 05:17 AM

Hi jgpm!

One of the main selling features of splunk is it's schema on the fly, allowing for the creation of knowledge objects like tags and eventtypes at searchtime! Blowing away your index is only really necessary in certain cases, and I am confident this won't be one of them.

The reason it likely popped up out of nowhere, is that an app or TA was installed.

This eventtype is part of the Splunk CIM app. Can you confirm you have this installed? check $SPLUNK_HOME/etc/apps and let us know so we can help you track down the config!

EDIT: updated answer to point future reader to CIM app

- MattyMo
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎01-13-2017 05:03 AM

so you've gone into your event types and deleted the event type called 'err0r'?

0 Karma
Reply
Solved! Jump to solution

_jgpm_
Communicator
‎01-13-2017 07:36 AM

So I freaked out a bit early. I did check eventtypes last night and it was empty...but I had to unfilter a few things and I found it and disabled it. It was related to the CIM app which I had installed yesterday as well. I apologize for the unnecessary post.

Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎01-13-2017 12:12 PM

Don't be sorry! It's a great and necessary learning experience! the post will likely help people in the future!

Glad to see you got it sorted!

- MattyMo
0 Karma
Reply
Solved! Jump to solution

cburgman
Path Finder
‎05-08-2017 09:20 AM

Helped me... Thx!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...