Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Eventtype 'msad-rep-errors' does not exist or is disabled

rukshar
Explorer
‎07-23-2024 12:12 AM

I have a dashboard which gives the below error at user end but when i open the dashboard i dont see any error at my end and it perfectly runs fine with the proper result

  • Error in 'lookup' command: Could not construct lookup 'EventCodes, EventCode, LogName, OUTPUTNEW, desc'. See search.log for more details.
  • Eventtype 'msad-rep-errors' does not exist or is disabled.

Please help me how to fix this issue.

ss.jpg

 

Labels (2)
0 Karma
Reply

marnall
Motivator
‎07-23-2024 01:30 PM

Could you post the sanitized search from that panel? It likely has a broken reference to a lookup and/or an eventtype.

0 Karma
Reply

rukshar
Explorer
‎07-24-2024 12:30 AM 
eventtype=msad-rep-errors (host="*")|lookup EventCodes EventCode,LogName OUTPUTNEW desc|eval desc=if(isnull(desc),"Unknown EventCode",desc)
| stats count by host,Type,EventCode,LogName,desc
| lookup DCs_tier0.csv host OUTPUTNEW domain offset_value
| search offset_value=1
| search (host="*") (domain="*")
| table host domain Type EventCode LogName desc

 

MicrosoftTeams-image (1).png

 

0 Karma
Reply

marnall
Motivator
‎07-24-2024 12:30 PM

I suspect the issue lies with the line:

| lookup EventCodes EventCode,LogName OUTPUTNEW desc

I assume this is intended to use a lookup definition called EventCodes. Could you try using inputlookup on EventCodes in a separate search and see which, if any, columns appear?

| inputlookup EventCodes

If there are no results, then either EventCodes does not exist as a lookup definition or you have no permissions to view it.

If there are columns but there are none called "EventCode","LogName" or "dest", then you'll need to adjust those column names in the lookup command.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...