I have created eventtype using splunk inernal index and trying to use that in datamodel as a constraints of a dataset
i am getting below error:
In handler 'datamodeledit': Error in 'test': Dataset constraints must specify at least one index. (test is my dataset name)
Same is working in 7.0 version is that got changed in new version splunk?
Instead of the original command:
sourcetype=access_* action=purchase
The following command worked for me:
index=main sourcetype=access_* action=purchase,Write index=main in the start of the command. The below command works for me:
index=main sourcetype=access_* action=purchase
instead of the original one:
sourcetype=access_* action=purchase
,Write index=main in the start of the command. then it works for me.
If the example you gave above is what you implemented, then your syntax is off.
You can use event types as a root event constraint, but you define it with "eventtype=test", which must have been declared previously.
I tried your example and had no issues. See attached pics.
Is it Splunk version 8.x???
I am not able to use eventtype
Still getting this error In handler 'datamodeledit': Error in 'test': Dataset constraints must specify at least one index.
Can you provide your contraints for the root event dataset?
Did you specify index=_internal
as part of the constraint?
i have created eventtype say for ex:
eventtype_name = "index = _internal"
in the data model constraints i gave eventtype_name