Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Has anyone ran into Eventtype "xxxxxxxxx" does not exist or is disabled. Search results only for a certain period?

mohdmikhael
Explorer
‎11-30-2022 07:31 PM

Hi,

My client has encountered the following issue below and I was just wondering if anyone has encountered something similar?

- Encountered the following error eventtype "xxxxxxxxx" does not exist or is disabled when running a search using a specific index/sourcetype. They have mentioned that the affected eventtype has the proper permissions.

- Search is able to return results for a shorter timeframe (ie 3 months) as compared to a longer timeframe (1 year).

Thank you in advance for any information given 🙂

Mikhael

Labels (2)
Labels
0 Karma
Reply

mohdmikhael
Explorer
‎12-07-2022 07:10 PM

Hi @gcusello,

Thank you for the reply. Can I check how would I go about checking the grants on this eventtype of my roles and giving Global grants? Is it under "Permissions" of the specific affected eventtype? E.g. Settings > Eventtypes > Search for affected eventtype and click on Permissions?

 

Thank you.

Mikhael

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-07-2022 10:38 PM

Hi @mohdmikhael,

yes, exactly: you have to check if your user has the permissions to read the eventtype.

Then, in in your eventtype there are other knowledhe objects (other eventtypes, tags, fields, etc...) you have to check the permissions of each of them.

Ciao.

Giuseppe

0 Karma
Reply

mohdmikhael
Explorer
‎12-09-2022 12:02 AM

Hi @gcusello,

Thank you for the reply. Yes, I have checked the permissions for the affected eventtype and it shows as follows:

Under Everyone, it shows as ticked for Read

Under Search string, it shows as sourcetype = xxxxx  app = xxxxx

Would I need to check the app permissions for this?

 

Thank you in advance.

Mikhael

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-09-2022 12:06 AM

Hi @mohdmikhael,

is there in the eventtype the index definition?

if not try to add it because the index for search couldn't be in the default path.

Ciao.

Giuseppe

0 Karma
Reply

mohdmikhael
Explorer
‎01-31-2023 09:34 PM

Hi @gcusello,

I have checked further on this with my customer and it seems that it is affecting only certain users. Also, these certain users are only able to search up to a certain time range e.g. 3 months as compared to 1 year.

Can I just check as to why this is happening?

Thank you.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-31-2023 11:36 PM

Hi @mohdmikhael,

identify if the users affected by the problem has a different role that propably hasn't the access to indexes or knowledge objects  (as eventtypes).

ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-01-2022 02:58 AM

Hi @mohdmikhael,

eventtypes are defined at search time, this means that an eventtype must exist when the search is runned even if it's related to old data when the eventtype was present..

If your problem is that the eventtype is present but it isn't read, you have to check the grants on this eventtype of your roles and eventually give Global grants on it.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...