Splunk Enterprise

received event for unconfigured/disabled index=_audit

heterodyned
Path Finder

Currently, I have enabled splunk forwarder on a particular windows box with SSL encryption to the indexer. ( Although this may not be actually the source of the issue)

I am receiving events for unconfigured/disabled index='_audit' on the forwader for some reason. I did verify that all the indexes in the forwarder are enabled, and the same holds true for the receiver

Any idea what could be the source of the issue?

Tags (1)
0 Karma
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

This is a defect in 4.1.x, the message happens when you restart a LWF. I have been able to replicate the issue. It has been reported to support and is being investigated by engineering. This has been added to the known issues document, see SPL-37337:

http://www.splunk.com/base/Documentation/4.1.7/ReleaseNotes/Knownissues

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

This is a defect in 4.1.x, the message happens when you restart a LWF. I have been able to replicate the issue. It has been reported to support and is being investigated by engineering. This has been added to the known issues document, see SPL-37337:

http://www.splunk.com/base/Documentation/4.1.7/ReleaseNotes/Knownissues

heterodyned
Path Finder

I could fix this issue, the windows forwarder was actually configured as LightForwarder and was still operating in LightForwarder Mode, ( this was done by someone previously) and at the sametime I was using the SplunkWebUI for this particular server, which was causing these events.

Solution: I disabled splunk-light forwarder and enabled forwarder mode, the issue got resolved

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...