What does yellow boxes/triangles in the search-app...

torustad · ‎07-26-2016

Hi all,

We have the following setup:

Splunk Enterprise Server 6.4.1
Windows2008R2, 16 GB Physical Memory, 4 CPU Cores
Mode: Standalone

In all my searches from the Search-app i am getting a "yellow box with an exclamation mark in it", whereas in all the panels in a dashboard there is a "yellow triangle with an exclamation mark in it".
In both cases the following text appears whene I click them:

Eventtype 'wineventlog-dns' does not exist or is disabled.
Eventtype 'wineventlog-ds' does not exist or is disabled.

The searches as such seem to be ok.

Any suggestions as to where I should start looking?

Could it have anything to d with these mesaages from teh splunkd.log?

At restart:

07-25-2016 18:01:17.613 +0200 INFO PipelineComponent - Pipeline structuredparsing disabled in default-mode.conf file
07-25-2016 18:01:17.691 +0200 INFO IntrospectionGenerator:resource_usage - RU_main - I-data gathering (Resource Usage) starting; period=10s
07-25-2016 18:01:18.038 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing initial system PDH query, status code is -2147481643
07-25-2016 18:01:18.038 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing initial disk PDH query, status code is -2147481643
07-25-2016 18:01:18.038 +0200 INFO IntrospectionGenerator:resource_usage - RU_main - I-data gathering (IO Statistics) starting; interval=60s
07-25-2016 18:01:18.038 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing PDH query, skipping getting iostats data this collection cycle. Status code is -2147481643

Therafter every minute this:

07-26-2016 02:15:32.082 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing PDH query, skipping getting iostats data this collection cycle. Status code is -2147481643

Thanks for any help,
Kind reagards,
Bård Tørustad

mrgibbon · ‎09-22-2016

I created an eventtypes.conf in /splunk_app_windows_infrastructure/local/ on my search head and indexer containing this:

[wineventlog-dns]
disabled = 0
search = sourcetype=WinEventLog:DNS Server

Problem solved, for now. 🙂

torustad · ‎07-28-2016

Thanks for your help; I disabled the "splunk_app_windows_infrastructure" - app and the "yellow warnings" went away.
I have had this app installed for quite a time (albeit without it working :-)) so this "yellow warning" most likely came after the upgrade to 6.4.1.

However this message keeps coming in the splund.log:

07-26-2016 02:15:32.082 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing PDH query, skipping getting iostats data this collection cycle. Status code is -2147481643

Regards
Bård

mtime24 · ‎08-16-2016

I just upgraded from windows infrastructure 1.2 to 1.3 and i'm seeing the ds warning as well, what's the fix? I have the dns app installed so i'm not getting the dns error only the ds error.

Eventtype 'wineventlog-ds' does not exist or is disabled

tsweet_splunk · ‎07-28-2016

This started with Windows Infrastructure App V 1.3 that was released last month. I am guessing you recently upgraded this application as well.

The other error message is related to something else if I had to guess.

torustad · ‎07-28-2016

We are here now: "Splunk App for Windows Infrastructure" version 1.3.0, so you are right - I upgraded it because I have a far more serious problem which I did not think had anything to do with this app, but I upgraded it anyway in the offchance that it did 🙂

tsweet_splunk · ‎07-26-2016

See answer here, should fix your issue:
https://answers.splunk.com/answers/433485/message-eventtype-wineventlog-ds-does-not-exist-or.html

What does yellow boxes/triangles in the search-app and panels with the text "Eventtype 'wineventlog-dns' does not exist or is disabled" (ditto for 'wineventlog-ds') mean?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!