Knowledge Management

Eventtype style color only displays while in current session

g038123
Explorer

I created 3 eventtypes, at creation I chose a different color for each one.
Everything worked fine, colors were displaying correctly as expected for each eventtype and for each tag I associated to the individual eventtypes. I tested this with several searches.
However, after logging out of Splunk and then back in the colors no longer displayed for any user. Permissions were set to global for all 3 eventtypes.

I tested it again by creating a new eventtype and the same thing happened.

I checked the eventtypes.conf and found the color wasn't set. I manually added each color to the eventtypes.conf in etc/app and restarted but no go, still no colors displaying.

I then moved the eventtypes.conf to system/local to see if that would work but again no luck.

Can't figure out why the colors aren't displaying, hopefully, someone can help with this.

0 Karma

jconger
Splunk Employee
Splunk Employee

You may have more than one eventtype that applies to your event that is stepping on your color. As a test, I created an eventtype named test with the following search and set the color to green:

index=_internal sourcetype=splunkd earliest=-10m@m latest=now

Events that match the "test" eventtype only, show up as green (even after logging out and back in). Events that match "test" and another eventtype do not have a color. So try running a search like the following to see if you have more than one eventtype for your desired events:

eventtype=test | stats count by eventtype
0 Karma

g038123
Explorer

I ran a search individually for all 3 of my eventtypes, per jconger's request. In each case, I got only one eventtype for the events returned. I did get multiple tags for each one, not sure if that would have the same effect or not but thought I'd mention it.

Not sure if this complicated things, I went ahead and deleted two of the eventtypes to see if the remaining one would show color again. That did not have an effect. I then created a new eventtype, named differently but using a slightly different search query. It worked, the color displayed as expected but only for that new eventtype. Then I logged out and back in and again no colors display.

Seems very strange, any other thoughts?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...