Knowledge Management

Unable to find an eventtype <eventtype>

nocostk
Communicator

I recently updated my searchheads and indexers to 4.2. For some reason I get an error on my search heads when I'm trying specific searches:

[splunksysnet02] Unable to find an eventtype ShoppingSite_Errors

splunksysnet02 is my indexer (not search head). Why would I be suddenly getting this message? Is Splunk now looking to indexers for eventtypes? I tried copying my etc/apps/search/local from my search head to indexer but I still get that error.

Tags (1)
0 Karma
1 Solution

nocostk
Communicator

Looks like some of the eventtypes (and tags) were disabled. I think they were before the 4.2 upgrade but 4.1x didn't really complain? I enabled them and things are working now.

View solution in original post

nocostk
Communicator

Looks like some of the eventtypes (and tags) were disabled. I think they were before the 4.2 upgrade but 4.1x didn't really complain? I enabled them and things are working now.

hazekamp
Builder

In distributed search, Splunk will automatically replicate the bundle on your search head down to the indexers, so you do not need to do this manually. This error is likely related to a scheduled search or otherwise which refers to the ShoppingSite_Errors eventtype or there is a tag specified on this eventtype.

For instance:

## tags.conf
[eventtype=ShoppingSite_Errors]
error = enabled
0 Karma

nocostk
Communicator

There are both. I checked the tar'd bundle and in apps/search/local/{tags.conf,eventtypes.conf} there is reference to ShoppingSite_Errors. So they do exist on the indexer - but I'm still not clear why I'm getting the error that it is unable to find it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...