received event for unconfigured/disabled index='xxxx' with source='source::yyyy' host='host::zzzz' sourcetype='sourcetype::stash' ( 1 missing total )
Please find below some of the short cuts being used in the below article :
SH = Search Head
IDX = Indexer
UF = Universal Forwarder
HF = Heavy Forwarder
____________________________________________________________
When you login to your SH or IDX, you will get the following Message Error
on your 'message' tab on the top of your Splunk Page :
Please find below the two solutions :
1. If UF/HF box is connected to the IDX box, and UF/HF
is configured to send the data to the index="XXXX"
in IDX box, but if in IDX box, there is no index="XXXX"
created or somehow disabled,then the above message appears.
In this case either you enable/create index="XXXX" in IDX
box or disable the data forwarding in UF/HF for that
particular index as shown below :
ssh <UF> OR <HF> <enter>
cd /opt/splunk/etc/system/local <enter>
vi inputs.conf <enter>
[monitor:///<some_path>]
index="XXXX"
# Add the below link to disable the input forwarding
disabled=1
/opt/splunk/bin/splunk restart <enter>
*************************** ****************************
2. Go to host by ssh :
ssh ZZZZ <enter>
cd /opt/splunk/etc/ <enter>
find . | xargs grep -i "XXXX" <enter>
We know that ZZZZ is a SH and in SH we may have saved
Searches which are using "XXXX" name in their Queries.
So, we will go to that application and look into the
"savedsearches.conf" file.
cd /opt/splunk/etc/apps/<app_name>/local/ <enter>
vi savedsearches.conf <enter>
search for "XXXX" and disable that saved search where this
index is being used ( Just add the below line ) :
disabled=1
OR , you can also disable your saved search from GUI :)
Go to Splunk SH web interface,
https://ZZZZ/:8000 <enter>
Go to Manager --> Searches and Reports and then search
for the Index Name ,all the saved search will show up
which are using that index name. Simply go to the 'Status'
field and 'Disable' it.
Note : There could be a situation where in the query the index name ( XXXX ) is
not there but in the summary indexing they are using this Index Name.
Simply click on'saved search' , come down and uncheck
"Summary Indexing ( Enable )" [ If you see 'XXXX' is written in place ]
Hope whenever you encounter :
received event for unconfigured/disabled index='xxxx' with source='source::yyyy' host='host::zzzz' sourcetype='sourcetype:;stash' ( 1 missing total )
the above error, you will be able to solve it immediately !!
Happy Splunking !
1 comment:
Wonderful Article
Post a Comment