Splunk Search

What does yellow boxes/triangles in the search-app and panels with the text "Eventtype 'wineventlog-dns' does not exist or is disabled" (ditto for 'wineventlog-ds') mean?

torustad
Path Finder

Hi all,

We have the following setup:

Splunk Enterprise Server 6.4.1
Windows2008R2, 16 GB Physical Memory, 4 CPU Cores
Mode: Standalone

In all my searches from the Search-app i am getting a "yellow box with an exclamation mark in it", whereas in all the panels in a dashboard there is a "yellow triangle with an exclamation mark in it".
In both cases the following text appears whene I click them:

Eventtype 'wineventlog-dns' does not exist or is disabled.
Eventtype 'wineventlog-ds' does not exist or is disabled.

The searches as such seem to be ok.

Any suggestions as to where I should start looking?

Could it have anything to d with these mesaages from teh splunkd.log?

At restart:

07-25-2016 18:01:17.613 +0200 INFO PipelineComponent - Pipeline structuredparsing disabled in default-mode.conf file
07-25-2016 18:01:17.691 +0200 INFO IntrospectionGenerator:resource_usage - RU_main - I-data gathering (Resource Usage) starting; period=10s
07-25-2016 18:01:18.038 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing initial system PDH query, status code is -2147481643
07-25-2016 18:01:18.038 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing initial disk PDH query, status code is -2147481643
07-25-2016 18:01:18.038 +0200 INFO IntrospectionGenerator:resource_usage - RU_main - I-data gathering (IO Statistics) starting; interval=60s
07-25-2016 18:01:18.038 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing PDH query, skipping getting iostats data this collection cycle. Status code is -2147481643

Therafter every minute this:

07-26-2016 02:15:32.082 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing PDH query, skipping getting iostats data this collection cycle. Status code is -2147481643

Thanks for any help,
Kind reagards,
Bård Tørustad

Tags (1)

mrgibbon
Contributor

I created an eventtypes.conf in /splunk_app_windows_infrastructure/local/ on my search head and indexer containing this:

[wineventlog-dns]
disabled = 0
search = sourcetype=WinEventLog:DNS Server

Problem solved, for now. 🙂

torustad
Path Finder

Thanks for your help; I disabled the "splunk_app_windows_infrastructure" - app and the "yellow warnings" went away.
I have had this app installed for quite a time (albeit without it working :-)) so this "yellow warning" most likely came after the upgrade to 6.4.1.

However this message keeps coming in the splund.log:

07-26-2016 02:15:32.082 +0200 WARN IntrospectionGenerator:resource_usage - RU - Failure executing PDH query, skipping getting iostats data this collection cycle. Status code is -2147481643

Regards
Bård

0 Karma

mtime24
Path Finder

I just upgraded from windows infrastructure 1.2 to 1.3 and i'm seeing the ds warning as well, what's the fix? I have the dns app installed so i'm not getting the dns error only the ds error.

Eventtype 'wineventlog-ds' does not exist or is disabled

0 Karma

tsweet_splunk
Splunk Employee
Splunk Employee

This started with Windows Infrastructure App V 1.3 that was released last month. I am guessing you recently upgraded this application as well.

The other error message is related to something else if I had to guess.

0 Karma

torustad
Path Finder

We are here now: "Splunk App for Windows Infrastructure" version 1.3.0, so you are right - I upgraded it because I have a far more serious problem which I did not think had anything to do with this app, but I upgraded it anyway in the offchance that it did 🙂

0 Karma

tsweet_splunk
Splunk Employee
Splunk Employee
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...