Eventtype 'uberAgent_index_query' does not exist or is disabled

Mark Swenson

April 16, 2021 22:54

Answered
Follow

We are getting this error showing up in our dashboards

• Eventtype 'uberAgent_index_query' does not exist or is disabled.
• [indexer host1] Eventtype 'uberAgent_index_query' does not exist or is disabled.
• [indexer host2] Eventtype 'uberAgent_index_query' does not exist or is disabled.
• [indexer host3] Eventtype 'uberAgent_index_query' does not exist or is disabled.
• [indexer host4] Eventtype 'uberAgent_index_query' does not exist or is disabled.
• [indexer host5] Eventtype 'uberAgent_index_query' does not exist or is disabled.
• [indexer host6] Eventtype 'uberAgent_index_query' does not exist or is disabled.
• [indexer host7] Eventtype 'uberAgent_index_query' does not exist or is disabled.
• [indexer host8] Eventtype 'uberAgent_index_query' does not exist or is disabled.

When we disabled the EventType the error goes away.

Date Votes

5 comments

0

Dominik Britz April 19, 2021 07:15

Hi Mark,

Which version of Splunk and of the uberAgent Splunk apps are you using?

Comment actions Permalink
0

Mark Swenson April 19, 2021 23:10

Splunk 8.0.7

uberAgent UXM 6.0.0

Comment actions Permalink
0
Dominik Britz April 20, 2021 06:49
Thanks, Mark,

uberAgent uses macros in the eventtypes.conf. For that to work, the macros.conf file needs to be replicated in your cluster. That is configured in uberAgent's distsearch.conf:
```
[replicationSettings:refineConf]
replicate.macros = true
```
Please make sure that the distsearch.conf is available in the search head app. Please also make sure that you use the latest version of eventtypes.conf.
Comment actions Permalink
0

Mark Swenson May 12, 2021 18:13

We tried that fix and are still seeing that same issue.

Comment actions Permalink
0

Dominik Britz May 17, 2021 06:59

I'm sending this to our support system as we need to see some logs.

Comment actions Permalink

Please sign in to leave a comment.