I have a dashboard that runs entirely off of AIDE file integrity events in the Change Analysis data model.
When the dashboard opens, I see two messages complaining that Eventtype 'XXXX' does not exist or is disabled.
But the two event types the error message are referencing are for a completely different sourcetype. The two event types it is complaining about did exist at one time and have been deleted.
No other dashboards in the same app show this error message.
Any ideas?
I would look at the search that is happening for panel(s) that are throwing the error message... Are they searching for the eventtype or are they searching by tag? If searching by tag, is there a tag object applying the label to the named eventtype still (even though the eventtype itself was deleted)?
(As you mentioned the Change Analysis Data Model, is there a tag on that eventtype to change
, audit
, endpoint
, network
, and/or account
per the CIM documentation )
I have dashboard for which users are getting this error -
that “ Eventtype “msDashboard_Name” does not exist or is disabled”
Please let me know if this is some kind of permission error or what ?
I would look at the search that is happening for panel(s) that are throwing the error message... Are they searching for the eventtype or are they searching by tag? If searching by tag, is there a tag object applying the label to the named eventtype still (even though the eventtype itself was deleted)?
(As you mentioned the Change Analysis Data Model, is there a tag on that eventtype to change
, audit
, endpoint
, network
, and/or account
per the CIM documentation )
Four of the searches are tstats searches. One search goes on raw events.
That search is: index="fim" sourcetype="aide" tag="change" | table ...
Running each one of of those searches in the search window doesn't throw the error.
The dashboards are built with SideView Utils, so maybe it's doing something weird behind the scenes. Removing the tag="change" from the search and using other terms to achieve the same result solved the problem.
Is there some way to purge deleted event types from Splunk's "memory"?
If you're not getting the errors in a normal search window: is that in the same app context as the dashboard? Could be that some eventtype is not shared globally and as a result not available in the app where that dashboard sits?
eventtype is shared globally and dashboard sits in search app, still I am getting same error.
eventtype is created in different app and dashboard in different.
So tags, like event types are a type of knowledge object and can be created and managed in the UI through the settings menu or through tags.conf files.
Some useful docs: https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Defineandusetags
https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/CurateSplunkknowledgewithManager
https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Tagsconf