Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Received event for unconfigured/disabled/delted......

xsstest
Communicator
‎04-21-2017 12:40 AM

I am a splunk novice.

Https://answers.splunk.com/answers/522405/why-is-there-no-data-in-my-summary-index.html

URL of the file or not resolved.

Description: I created a Splunk cluster and created a lot of alert strategies on my search server. Some alerts open the summary index, and the summary index name is "alerts", I confirm that the alerts are the existing . And I'm sure a lot of alert have been triggered. But I'm running "index = alerts" on the search server. Return empty And I got this information on the search server's WEBUI: "Received event for unconfigured / disabled / delted ...." as shown below:

Question: Why is my summary index no data written? Is there a problem with my configuration?

alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfreitas
Builder
‎04-21-2017 06:49 AM

Have you enabled data forwarding on the search head to send the indexed data to the indexers? You can enable event forwarding on the serch head going to settings > forwarding and receiving > configure forwarding > add your two indexers. This way the data that you asked to index on the search head will be forwarder to the indexers and will get indexed.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎04-23-2017 11:30 PM

Can you run the below query and verify if the index is created on your indexers?

| eventcount summarize=false index=alerts

Verify if all your indexers are listed here.
Try restarting the indexers also once.

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-23-2017 11:48 PM

result is 0 . What should I do next?

0 Karma
Reply
Solved! Jump to solution
Solution

gfreitas
Builder
‎04-21-2017 06:49 AM

Have you enabled data forwarding on the search head to send the indexed data to the indexers? You can enable event forwarding on the serch head going to settings > forwarding and receiving > configure forwarding > add your two indexers. This way the data that you asked to index on the search head will be forwarder to the indexers and will get indexed.

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-23-2017 10:40 PM

This is a cluster

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...