Knowledge Management

errors while using unix tags in the search app

Genti
Splunk Employee
Splunk Employee

If i do a search within the unix app such as this: tag="access" i get plenty of results. If i perform the same search within the search app i receive errors of the kind:
1. Unable to find an eventtype DMA_Linux_syslog
2. Unable to find an eventtype CUPS_access_Linux_OSX

Why are these errors coming up?

Tags (4)
1 Solution

Genti
Splunk Employee
Splunk Employee

This is a minor bug that hte developers have been notified on and will probably be fixed very soon.

Note that when the unix app gets installed a flag that is supposed to be set doesnt get. Your default.data in the unix app looks like this: /splunk/etc/apps/unix/metadata more default.meta

[tags]
export = system

[props]
export = system

[transforms]
export = system

[eventtypes]
access = read : [ * ], write : [ admin, power ]

Note that even though the tag stanza is set to be global, the eventtype does not have such a flag. In order to be able to see these eventtypes outside of the unix app, and hence have the search on the "tag=access" work without errors, the following needs to be changed:

[eventtypes]
access = read : [ * ], write : [ admin, power ]
export = system

Then a server restart is needed, and searching should work just fine...

Cheers,
.gz

View solution in original post

0 Karma

Genti
Splunk Employee
Splunk Employee

This is a minor bug that hte developers have been notified on and will probably be fixed very soon.

Note that when the unix app gets installed a flag that is supposed to be set doesnt get. Your default.data in the unix app looks like this: /splunk/etc/apps/unix/metadata more default.meta

[tags]
export = system

[props]
export = system

[transforms]
export = system

[eventtypes]
access = read : [ * ], write : [ admin, power ]

Note that even though the tag stanza is set to be global, the eventtype does not have such a flag. In order to be able to see these eventtypes outside of the unix app, and hence have the search on the "tag=access" work without errors, the following needs to be changed:

[eventtypes]
access = read : [ * ], write : [ admin, power ]
export = system

Then a server restart is needed, and searching should work just fine...

Cheers,
.gz

0 Karma

Genti
Splunk Employee
Splunk Employee

I think though, that the default behavior is supposed to be that if you have access to the os index, you should be able to use the tags from the search app as well as the unix app.
This seems to be the case for the windows app, the default.meta file there is as the unix one "should" be..

0 Karma

Lowell
Super Champion

I guess the other option is to NOT export the tags. I don't know about anyone else, but the default eventtypes bundled in the unix app don't seem to be very thought out to me.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...