Hi, and sorry for the somewhat fuzzy question!
I'll try to explain the scenario, so bare with me if the explanation gets a bit long 😉
We have lots of eventtypes in our environment, where most of them are defined within specific apps.
The problem here is that when I (or anyone for that matter) run a search from the standard search tab, the job result complains that one particular eventtype is missing or disabled. This eventtype is defined within a specific app, but is never used in the query.
Example, search executed in the "standard" search and reporting app space:
index=network "10.20.30.40" <-- No eventtype used!
The search query displays all results containing 10.20.30.40 - as expected, but the job-inspector complains that "eventtype login_failure_wdm does not exist or is disabled".
This error would make sense if I tried to use this particular eventtype (since I am running the query outside the app where the eventtype is defined), but no eventtype is used!
As expected there are no complaints if I run the same query from within the app space where login_failure_wdm is defined.
The thing is that it does not matter what indexes and searches I do - the error is there.
The eventtype in question is "nested" from another eventtype, but we use a lot of those without any issues.
login_failure_wdm: eventtype=wdm "authorization error"
where 'wdm' is an eventtype defined as:
index=network host=itc*wdm*
This environment consists of a 2 node indexer cluster (+ 1 master node) and one searchhead (where all searches are performed).
I have run a recursive grep through the entire config on my searchhead, cluster master and the indexer servers, but the eventtype is not included anywhere (except for the definition of the eventtype itself) on the searchhead.
Has anyone seen this phenomena, and found a solution?
... View more