Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Eventtype 'wineventlog_security' does not exist or is disabled

Benny87
Loves-to-Learn
‎05-26-2025 04:52 AM

Hi,

got some problem in my searches since a few days.

I really don´t know what happend and no one changed the configuration.

 

In search or dashboards for Cisco Network I get for every search the error "Eventtype 'wineventlog_security' does not exist or is disabled"

 

search example:  Index=firewall 

The question is why when I search an completly unrelated index to windows it shows the error from the eventtype from the Windows-TA ? and also it doesn´t show any results.

Labels (1)
Labels
0 Karma
Reply

Benny87
Loves-to-Learn
‎05-27-2025 02:16 AM

I will keep it short.

We found a solution to the errors. 

If you just restart the Indexer or Searchhead which throws the errors or make a new connection as search peer won´t help.

We shut down the whole Splunk farm. Indexer, SH, Licence Server, Deploymentserver etc...

When all server are off you can start them again. 

Everything resumed to working fine without errors.

0 Karma
Reply

PrewinThomas
Motivator
‎05-26-2025 09:25 PM

@Benny87 
Some dashboards, saved searches, or macros reference the wineventlog_security eventtype globally—even if your current search is for non-Windows data like firewalls or switches


If the event type is missing, disabled, or its permissions are not set to "global," Splunk throws this error regardless of the actual index being searched

This can also happen after app upgrades, permission changes, or if the Splunk_TA_windows is not deployed on all relevant search heads and indexers

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-26-2025 09:16 AM

Hi @Benny87 

What kind of architecture do you have? Do you have multiple indexers? Please could you do a btool to check the eventtypes on the SH and an Indexer:

$SPLUNK_HOME/bin/splunk btool eventtypes list --debug wineventlog_security

Im also wondering if something that matches another eventtype for your firewall data is also referencing wineventlog_security... if you do the same btool output as above without the final "wineventlog_security" do you see "wineventlog_security" within any other stanzas?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-26-2025 05:02 AM

Hi @Benny87 ,

check if this eventtype is shared at App or Global level: it must be Global.

you can do this at [settings > Eventtypes].

Ciao.

Giuseppe

0 Karma
Reply

Benny87
Loves-to-Learn
‎05-26-2025 05:03 AM

The windows -TA eventtypes are all Globylly shared and access is read for everyone.
The problem is why now and not a few days ago. The error just stated to show up a few days ago without any change to any configuration. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-26-2025 05:10 AM

Hi @Benny87 ,

what does it happen if you run eventtype=wineventlog_security from a search dashboard in your app?

do you have the same message or a different one?

did you recently changed the version of Splunk_TA_Windows?

recently there was a change to the data structure of the TA: sourcetype is WinEventLog or xmlWinEventLog  and the difference between Security, Application and System is in the source field.

Otherwise, you can open a case to Splunk Support, because this Add-On is Splunk supported.

Ciao.

Giuseppe

0 Karma
Reply

Benny87
Loves-to-Learn
‎05-26-2025 05:31 AM

for the search: Eventtype=wineventlog_security there´s no results.

The errors are:

[Indexer] Eventtype 'wineventlog_security' does not exist or is disabled

[Indexer] Ignoring eventtype 'wineventlog_security' for search expansion due to error="search string cannot be empty"

remote search process failed on peer

 

As for additional information, the error just shows up for index searches where NO windows eventlog are involved. Just for our firewalls, switches and other devices.

As long as I search for windows indexes ex. Index=wineventlog_security or index=wineventlog_system there´s no error.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...