Solved: Unable to find an eventtype <eventtype>

nocostk · ‎03-29-2011

I recently updated my searchheads and indexers to 4.2. For some reason I get an error on my search heads when I'm trying specific searches:

[splunksysnet02] Unable to find an eventtype ShoppingSite_Errors

splunksysnet02 is my indexer (not search head). Why would I be suddenly getting this message? Is Splunk now looking to indexers for eventtypes? I tried copying my etc/apps/search/local from my search head to indexer but I still get that error.

nocostk · ‎04-20-2011

Looks like some of the eventtypes (and tags) were disabled. I think they were before the 4.2 upgrade but 4.1x didn't really complain? I enabled them and things are working now.

View solution in original post

nocostk · ‎04-20-2011

Looks like some of the eventtypes (and tags) were disabled. I think they were before the 4.2 upgrade but 4.1x didn't really complain? I enabled them and things are working now.

hazekamp · ‎03-29-2011

In distributed search, Splunk will automatically replicate the bundle on your search head down to the indexers, so you do not need to do this manually. This error is likely related to a scheduled search or otherwise which refers to the ShoppingSite_Errors eventtype or there is a tag specified on this eventtype.

For instance:

## tags.conf
[eventtype=ShoppingSite_Errors]
error = enabled

nocostk · ‎03-30-2011

There are both. I checked the tar'd bundle and in apps/search/local/{tags.conf,eventtypes.conf} there is reference to ShoppingSite_Errors. So they do exist on the indexer - but I'm still not clear why I'm getting the error that it is unable to find it.

Unable to find an eventtype <eventtype>

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk