I have indexes on two servers and moved index to one server:
I followed the followind guidelines:
http://splunk-base.splunk.com/answers/10184/consolidate-databases-from-multiple-splunk-instances
and
http://splunk-base.splunk.com/answers/34811/how-can-i-find-all-duplicate-bucket-ids-that-are-causing...
but I still get this error:
IndexProcessor - received eve
IndexProcessor - received event for unconfigured/disabled index='_audit' with source='source::audittrail' host='host::wspra99a0546' sourcetype='sourcetype::audittrail' (1 missing total)
nt for unconfigured/disabled index='_internal' with source='source::/opt/local/qosmont/splunk_search_head_02_sit/var/log/splunk/splunkd.log' host='host::wspra99a0546' sourcetype='sourcetype::splunkd' (2 missing total)
How can I fix these?
Thank You.
Hi gudavasr
check if those indexes are disabled:
| rest /services/data/indexes | table title disabled
if so you can enable them in 'Manager >> Indexes'
probably it is also possible via REST but I haven't checked on that yet 😉
cheers,
MuS
Hi gudavasr
check if those indexes are disabled:
| rest /services/data/indexes | table title disabled
if so you can enable them in 'Manager >> Indexes'
probably it is also possible via REST but I haven't checked on that yet 😉
cheers,
MuS
This worked. Can you explain why indexes automatically got enabled when it is restarted?
Thank You