Getting Data In

warning in my indexer received event for unconfigured/disabled index

adityapavan18
Contributor

I recieve syslog feed to my heavy forwader . From there the data is forwarder to my Indexer.

And in my indexer i want my received data to be indexed in index=syslog.

Heavy Forwarder configuration

inputs.conf:

[udp://514]

connection_host = X.X.X.X

index = syslog_index

sourcetype = syslog_st

and Configuration in my indexer is :

inputs.conf

[splunktcp://9998]

index = syslog

sourcetype = syslog_feed

But i am getting a warning in my indexer as

received event for unconfigured/disabled index='syslog_index' with source='source::udp:514' host='host::X.X.X.X' sourcetype='sourcetype::syslog_st' (1 missing total)

why is it still trying to put the forwarded data to index=syslog_index whereas i mentioned in my indexer to index data into index=syslog

Could any one please help?

0 Karma

marios_kstone
Path Finder

Heavy forwarder does events parsing, which means you cannot change the index name on the indexer side (the "index=syslog" part on the indexer is ignored).
You should switch the Heavy Forwarder with a Universal Forwarder to move the parsing logic to the indexer.
Another option is to set the "sendCookedData=false" parameter in the output.conf in the HF to tell Splunk to send RAW unparsed data.

0 Karma

ayme
Splunk Employee
Splunk Employee

Why are you setting index = syslog_index in the first place? Just set index=syslog no? In any case, if it's a heavyweight forwarder, all the parsing has already been done which is why the Indexer is ignoring your configuration.

adityapavan18
Contributor

The reason i have different index names is that from heavy forwarder i have to filter data to be sent to different indexes (1 to hold user auth data and other to hold payload data) in indexer depending on some regex.

0 Karma

yannK
Splunk Employee
Splunk Employee

There is still somewhere a forwarder configured to send to this syslog_index.
Can you check :

  • all the inputs.conf on all the forwarders
  • all the props.conf/transforms.conf on the indexer and heavyforwarders (in case another transforms remains)

use the btool command to make sure, and search for the keyword syslog_indx in the outputs


./splunk cmd btool inputs list --debug
./splunk cmd btool props list --debug
etc...

0 Karma

adityapavan18
Contributor

I have only one heavy forwarder pushing data to 2 indexers.
And in that heavy forwarder
the conf is same as in my post above. and both indexers have configuration as mentioned above in post.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...