Dashboards & Visualizations

Why do I get this error: Eventtype "does not exist or is disabled" when I open my dashboard?

responsys_cm
Builder

I have a dashboard that runs entirely off of AIDE file integrity events in the Change Analysis data model.

When the dashboard opens, I see two messages complaining that Eventtype 'XXXX' does not exist or is disabled.

But the two event types the error message are referencing are for a completely different sourcetype. The two event types it is complaining about did exist at one time and have been deleted.

No other dashboards in the same app show this error message.

Any ideas?

0 Karma
1 Solution

acharlieh
Influencer

I would look at the search that is happening for panel(s) that are throwing the error message... Are they searching for the eventtype or are they searching by tag? If searching by tag, is there a tag object applying the label to the named eventtype still (even though the eventtype itself was deleted)?

(As you mentioned the Change Analysis Data Model, is there a tag on that eventtype to change, audit, endpoint, network, and/or account per the CIM documentation )

View solution in original post

shugup2923
Path Finder

I have dashboard for which users are getting this error -
that “ Eventtype “msDashboard_Name” does not exist or is disabled”

Please let me know if this is some kind of permission error or what ?

0 Karma

acharlieh
Influencer

I would look at the search that is happening for panel(s) that are throwing the error message... Are they searching for the eventtype or are they searching by tag? If searching by tag, is there a tag object applying the label to the named eventtype still (even though the eventtype itself was deleted)?

(As you mentioned the Change Analysis Data Model, is there a tag on that eventtype to change, audit, endpoint, network, and/or account per the CIM documentation )

responsys_cm
Builder

Four of the searches are tstats searches. One search goes on raw events.

That search is: index="fim" sourcetype="aide" tag="change" | table ...

Running each one of of those searches in the search window doesn't throw the error.

The dashboards are built with SideView Utils, so maybe it's doing something weird behind the scenes. Removing the tag="change" from the search and using other terms to achieve the same result solved the problem.

Is there some way to purge deleted event types from Splunk's "memory"?

0 Karma

FrankVl
Ultra Champion

If you're not getting the errors in a normal search window: is that in the same app context as the dashboard? Could be that some eventtype is not shared globally and as a result not available in the app where that dashboard sits?

0 Karma

shugup2923
Path Finder

eventtype is shared globally and dashboard sits in search app, still I am getting same error.
eventtype is created in different app and dashboard in different.

0 Karma

acharlieh
Influencer

So tags, like event types are a type of knowledge object and can be created and managed in the UI through the settings menu or through tags.conf files.

Some useful docs: https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Defineandusetags

https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/CurateSplunkknowledgewithManager

https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Tagsconf

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...