In splunk version - 8.0 not able to add eventtypes...

sivaranjiniG · ‎01-28-2020

I have created eventtype using splunk inernal index and trying to use that in datamodel as a constraints of a dataset

i am getting below error:
In handler 'datamodeledit': Error in 'test': Dataset constraints must specify at least one index. (test is my dataset name)

Same is working in 7.0 version is that got changed in new version splunk?

jadoonengr · ‎04-29-2020

Instead of the original command:
sourcetype=access_* action=purchase

The following command worked for me:
index=main sourcetype=access_* action=purchase,Write index=main in the start of the command. The below command works for me:
index=main sourcetype=access_* action=purchase

instead of the original one:
sourcetype=access_* action=purchase
,Write index=main in the start of the command. then it works for me.

codebuilder · ‎02-03-2020

If the example you gave above is what you implemented, then your syntax is off.
You can use event types as a root event constraint, but you define it with "eventtype=test", which must have been declared previously.

I tried your example and had no issues. See attached pics.

----
An upvote would be appreciated and Accept Solution if it helps!

sivaranjiniG · ‎02-04-2020

Is it Splunk version 8.x???

I am not able to use eventtype

Still getting this error In handler 'datamodeledit': Error in 'test': Dataset constraints must specify at least one index.

nickhills · ‎01-28-2020

Can you provide your contraints for the root event dataset?
Did you specify index=_internal as part of the constraint?

If my comment helps, please give it a thumbs up!

sivaranjiniG · ‎01-29-2020

i have created eventtype say for ex:

eventtype_name = "index = _internal"

in the data model constraints i gave eventtype_name

In splunk version - 8.0 not able to add eventtypes or tags in datamodel constraints

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!