Splunk Enterprise Security

Search string used for creating event type for data modelling marked as invalid search by Splunk

gilbxrtx_7
New Member

I am working on aligning my own data to Splunk Enterprise Security's data model.

Big error 1:
I draft out my search string by using the normal search function in Splunk ES. When I am certain that the search string works well in the normal search function I copied and pasted it into the search box in the 'define event type' page for configuration. When I run a test search within the configuration page I still get the data retrieved. However when I clicked on the 'save' button to save as event type an error message would pop up. It quoted my entire search string and stated that it is an invalid search. I am baffled by it as I had already tested the search string using normal search function before adding it into the search box for creating an event type for data model mapping. I did not make any modifications to the search string.

I went back to the Splunk search page and run the search string again,this time round it did not generate any search results. Afterwards I reduced the search string to search only for the index of where my data is stored at.( 'index=xxx') No search results occurred either.

Big error 2:
There are times when I managed to save my event type successfully with the exact same search string, but another error message would pop up at the data model mapping page,saying that an error had occurred. I would click on the 'edit event type' button to go to the 'define event type' page, and click on the 'save' button again. This time round splunk would show the error message that it is an invalid search string. But I was able to save it as an event type previously using the exact same search string.

Other times I would get warning message from the 'data model mapping' home page that I need to add in source types for my defined event type. Thing is when I first created the event type I did add in my sourcetypes. The sourcetypes would remove on their own, and after several restarting of splunk the sourcetypes would appear back in the 'data model mapping' home page again.

The videos below illustrate the errors that I have been facing:
https://www.youtube.com/watch?v=djwXSVRdOe0&t=21s
https://www.youtube.com/watch?v=Dr5p3j_26IA

To summarize, I am confused by two happenings:
1) drafted working search string deemed as 'invalid' when added into search box in 'define event type' page
2) source type missing from data model mapping home page on its own, and reappears again after several restarts. Most of the time I will have to add in the source type to my event type again, which leads back to 1) error.

Big error 1:
alt text
Big error 2:
alt text

0 Karma