We are seeing once of our index is disabled.
Is there any way to find when the index was disabled (date and time)?
Is this info logged in any log files ?
@sajeshpp, you can get this from Splunk's _audit
index. Add the index name which has been disabled to the following query:
index="_audit" action=disable object="<YourDisabledIndexName>"
| table object action user timestamp _raw _time
You will know if you are getting events for that index, believe me!
On all Search Heads that are peered to indexers in the Messages
area you will see messages like:
Received event for unconfigured/disabled/deleted index='lost_index' with source='source::/tmp/test' host='host::localhost.localdomain' sourcetype='sourcetype::anything' (1 missing total)
You can also search _internal
for splunkd.log
(/opt/splunk/var/log/splunk/splunkd.log) for events like this:
05-22-2017 17:30:43.276 +0200 WARN IndexProcessor - received event for unconfigured/disabled/deleted index='lost_index' with source='source::/tmp/test' host='host::localhost.localdomain' sourcetype='sourcetype::anything' (1 missing total)
thanks for your response 🙂
yes. it shows the messages. But it won't tell you when the index was disabled.
We are not using/monitoring this server regularly as it is part of poc/testing activity and also logs are not pushed regularly to the index. Hence it will be difficult to find when was index disabled by whom.
Search in _internal
for the log that I indicated. When it first started happening is roughly when it was disabled.
@sajeshpp, you can get this from Splunk's _audit
index. Add the index name which has been disabled to the following query:
index="_audit" action=disable object="<YourDisabledIndexName>"
| table object action user timestamp _raw _time
thanks.. this worked out for me
Great... Cheers!!!