Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I disabled an index, but still receiving data. Why ?

damode
Motivator
‎11-17-2017 04:14 AM

I no longer wanted any data with index=windows, so I disabled it. However, I am still receiving data targeted at it. How can I avoid this ?

I know, I can set the receiving logs to nullqueue, but I wanted to do it the easy way as Splunk doc already states "once an index is disabled, splunkd will no longer accept data targeted at it"

Why am I still receiving data ?

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-17-2017 04:30 AM

Hi damode,
disabling an index you disable the container where logs are stored, so you'll seceive the message that you're receiving logs for an unconfigured or disabled index.
if you don't want to receive logs, you have to disable the related stanzas in inputs.conf of each forwarder.

In other words you have to go on Deployment server (if you have) and modify your Splunk_TA_Windows\default\inputs.conf and put in each interested stanza disabled=1 and deploy.

A question: did you installed Splunk_TA_Windows?
If you didn't do it, you have to go on $SPLUNK_HOME\etc\system\local\inputs.conf and do the above action and restart forwarder.

What logs are you speaking of ?

If you're speaking of logs of your Windows Splunk Server, go in [Settings -- Data Inputs -- ] and disable the interested data Input.

Bye.
Giuseppe

0 Karma
Reply

damode
Motivator
‎11-17-2017 05:00 AM

Hi @cusello,

The logs are from a mail server where a universal forwarder is installed. Based on your input, I am guessing, I have to disable it on the U.F.

I have installed Splunk_TA_Windows but I have disabled the inputs on the H.F, still no success.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-17-2017 05:09 AM

Yes you have to disable input on the Universal Forwarder that is sanding logs.
On your UF (on mail server), have you installed Splunk_TA_Windows ?
If yes, you have to see which logs you're receiving and disable the corrisponding stanza, or otherwise, disable all stanzas that are sending logs to index=windows.
And after restart Splunk on UF.

If you continue to receive logs, you have to debug your installation running the following command on your UF:

splunk cmd btool inputs list --debug > inputs.txt

and see where is addressed index=windows

Bye.
Giuseppe

0 Karma
Reply

damode
Motivator
‎11-17-2017 05:34 AM

Hi Giuseppe,

Thanks for that. So what happens to this data which has its target index disabled ? would it still get indexed or made searchable or it would get discarded by Splunk ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-17-2017 05:44 AM

Hi damode,
usually they are stored in default index (usually main).
Bye.
Giuseppe

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-17-2017 04:27 AM

HI @damode,

Which architecture you are using (single Instance Splunk OR Clustered) ??

Thanks

0 Karma
Reply

damode
Motivator
‎11-17-2017 04:29 AM

Hi Kamlesh, its Distributed search with 1 S.H, 1 IND and 1 H.F
Thanks

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-17-2017 04:53 AM

Strange.
If the index is properly disabled then it should not even return result (if I'm not wrong you are checking events by executing search).

Have you disabled index using this step on INDEXER?

To do this, navigate to Settings > Indexes and click Disable to the right of the index you want to disable.

Then after check availability of index on other instance. I hope other instance should not have the definition of the index.

Thanks

0 Karma
Reply

damode
Motivator
‎11-17-2017 04:58 AM

I dont see any result for that index in the search as its disabled but I am getting this message, "Received event for unconfigured/disabled/deleted index=windows with source="source::processes" host="host::WEB" sourcetype="sourcetype::WinHostMon"

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-17-2017 07:49 AM

HI @damode,

Yes, this is normal. If Indexer getting events and the suitable index does not exist or disable then events will be skipped and not getting index. In this case, such kind of Notifications will display in Messages box.

In your case, you don't want to index any events and even don't want to get any events on INDEXER. So, in this case, I suggest disabling those script OR TA (if single TA generates all these events) whose index=windows. In your case, you tried disabling Splunk_TA_Windows app.

1) One my question is have you restarted HF after disabling Splunk_TA_Windows ??
2) Does HF only single source which forward events to INDEXER Or any other instances also sending events?

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...