All Apps and Add-ons

In splunk version - 8.0 not able to add eventtypes or tags in datamodel constraints

sivaranjiniG
Path Finder

I have created eventtype using splunk inernal index and trying to use that in datamodel as a constraints of a dataset

i am getting below error:
In handler 'datamodeledit': Error in 'test': Dataset constraints must specify at least one index. (test is my dataset name)

Same is working in 7.0 version is that got changed in new version splunk?

Tags (1)
0 Karma

jadoonengr
Engager

Instead of the original command:
sourcetype=access_* action=purchase

The following command worked for me:
index=main sourcetype=access_* action=purchase,Write index=main in the start of the command. The below command works for me:
index=main sourcetype=access_* action=purchase

instead of the original one:
sourcetype=access_* action=purchase
,Write index=main in the start of the command. then it works for me.

codebuilder
SplunkTrust
SplunkTrust

If the example you gave above is what you implemented, then your syntax is off.
You can use event types as a root event constraint, but you define it with "eventtype=test", which must have been declared previously.

I tried your example and had no issues. See attached pics.

alt text
alt text

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

sivaranjiniG
Path Finder

Is it Splunk version 8.x???

I am not able to use eventtype

Still getting this error In handler 'datamodeledit': Error in 'test': Dataset constraints must specify at least one index.

nickhills
Ultra Champion

Can you provide your contraints for the root event dataset?
Did you specify index=_internal as part of the constraint?

If my comment helps, please give it a thumbs up!
0 Karma

sivaranjiniG
Path Finder

i have created eventtype say for ex:

eventtype_name = "index = _internal"

in the data model constraints i gave eventtype_name

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...