Splunk Search

What does yellow boxes/triangles in the search-app and panels with the text "Eventtype 'wineventlog-dns' does not exist or is disabled" (ditto for 'wineventlog-ds') mean?

torustad
Path Finder

Hi all,

We have the following setup:

Splunk Enterprise Server 6.4.1
Windows2008R2, 16 GB Physical Memory, 4 CPU Cores
Mode: Standalone

In all my searches from the Search-app i am getting a "yellow box with an exclamation mark in it", whereas in all the panels in a dashboard there is a "yellow triangle with an exclamation mark in it".
In both cases the following text appears whene I click them:

Eventtype 'wineventlog-dns' does not exist or is disabled.
Eventtype 'wineventlog-ds' does not exist or is disabled.

The searches as such seem to be ok.

Any suggestions as to where I should start looking?

Could it have anything to d with these mesaages from teh splunkd.log?

At restart:

07-25-2016 18:01:17.613 +0200 INFO PipelineComponent - Pipeline structuredparsing disabled in default-mode.conf file
07-25-2016 18:01:17.691 +0200 INFO IntrospectionGenerator:resource_usage - RU_main - I-data gathering (Resource Usage) starting; period=10s
07-25-2016 18:01:18.038 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing initial system PDH query, status code is -2147481643
07-25-2016 18:01:18.038 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing initial disk PDH query, status code is -2147481643
07-25-2016 18:01:18.038 +0200 INFO IntrospectionGenerator:resource_usage - RU_main - I-data gathering (IO Statistics) starting; interval=60s
07-25-2016 18:01:18.038 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing PDH query, skipping getting iostats data this collection cycle. Status code is -2147481643

Therafter every minute this:

07-26-2016 02:15:32.082 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing PDH query, skipping getting iostats data this collection cycle. Status code is -2147481643

Thanks for any help,
Kind reagards,
Bård Tørustad

Tags (1)

mrgibbon
Contributor

I created an eventtypes.conf in /splunk_app_windows_infrastructure/local/ on my search head and indexer containing this:

[wineventlog-dns]
disabled = 0
search = sourcetype=WinEventLog:DNS Server

Problem solved, for now. 🙂

torustad
Path Finder

Thanks for your help; I disabled the "splunk_app_windows_infrastructure" - app and the "yellow warnings" went away.
I have had this app installed for quite a time (albeit without it working :-)) so this "yellow warning" most likely came after the upgrade to 6.4.1.

However this message keeps coming in the splund.log:

07-26-2016 02:15:32.082 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing PDH query, skipping getting iostats data this collection cycle. Status code is -2147481643

Regards
Bård

0 Karma

mtime24
Path Finder

I just upgraded from windows infrastructure 1.2 to 1.3 and i'm seeing the ds warning as well, what's the fix? I have the dns app installed so i'm not getting the dns error only the ds error.

Eventtype 'wineventlog-ds' does not exist or is disabled

0 Karma

tsweet_splunk
Splunk Employee
Splunk Employee

This started with Windows Infrastructure App V 1.3 that was released last month. I am guessing you recently upgraded this application as well.

The other error message is related to something else if I had to guess.

0 Karma

torustad
Path Finder

We are here now: "Splunk App for Windows Infrastructure" version 1.3.0, so you are right - I upgraded it because I have a far more serious problem which I did not think had anything to do with this app, but I upgraded it anyway in the offchance that it did 🙂

0 Karma

tsweet_splunk
Splunk Employee
Splunk Employee
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...