Followers

Thursday, May 7

Received event for unconfigured/disabled index...stash ( 1 missing total )

received event for unconfigured/disabled index='xxxx' with source='source::yyyy' host='host::zzzz' sourcetype='sourcetype::stash' ( 1 missing total )


Please find below some of the short cuts being used in the below article :

SH   = Search Head
IDX = Indexer
UF   = Universal Forwarder
HF   = Heavy Forwarder

____________________________________________________________


When you login to your SH or IDX, you will get the following Message Error
on your 'message' tab on the top of your Splunk Page :


received event for unconfigured/disabled index='xxxx' with source='source::yyyy' host='host::zzzz' sourcetype='sourcetype:;stash' ( 1 missing total )


Please find below the two solutions


1.  If UF/HF box is connected to the IDX box, and UF/HF
   is configured to send the data to the index="XXXX" 
   in IDX box, but if in IDX box, there is no index="XXXX"
   created or somehow disabled,then the above message appears.

   In this case either you enable/create index="XXXX" in IDX
   box or disable the data forwarding in UF/HF for that
   particular index as shown below :

   ssh <UF> OR <HF> <enter>
   cd /opt/splunk/etc/system/local <enter>
   vi inputs.conf <enter>

   [monitor:///<some_path>]
   index="XXXX"
   
   # Add the below link to disable the input forwarding

   disabled=1

   /opt/splunk/bin/splunk restart <enter>


***************************        ****************************


2.  Go to host by ssh :

    ssh ZZZZ <enter>
    cd /opt/splunk/etc/ <enter>
    find . | xargs grep -i "XXXX" <enter>

    We know that ZZZZ is a SH and in SH we may have saved
    Searches which are using "XXXX" name in their Queries.
    So, we will go to that application and look into the 
    "savedsearches.conf" file.


   cd /opt/splunk/etc/apps/<app_name>/local/ <enter>
   vi savedsearches.conf <enter>
   
   search for "XXXX" and disable that saved search where this 
   index is being used ( Just add the below line ) :

    disabled=1

   OR , you can also disable your saved search from GUI :)

   Go to Splunk SH web interface,
   https://ZZZZ/:8000 <enter>

   Go to Manager --> Searches and Reports  and then search 
   for the Index Name ,all the saved search will show up 
   which are using that index name. Simply go to the 'Status
   field and 'Disable' it.


Note : There could be a situation where in the query the index name ( XXXX ) is 
            not there  but in the summary indexing they are using this Index Name.
            Simply click on'saved search' , come down and uncheck
           "Summary Indexing ( Enable )[ If you see 'XXXX' is written in place ]



Hope whenever you encounter :

received event for unconfigured/disabled index='xxxx' with source='source::yyyy' host='host::zzzz' sourcetype='sourcetype:;stash' ( 1 missing total )

the above error, you will be able to solve it immediately !!

Happy Splunking !







1 comment:

Anonymous said...

Wonderful Article