Getting Data In

What happens when the forwarder is configured to send data to a non-existent index?

jwillaime
Explorer

Hello,

I would like to know what happens when the forwarder is configured to send data to a non-existent index, either with or without Indexer Acknowledgement enabled. All other parameters are set to the default ones.

I was trying to send data to a supposed index that is in fact not yet created, but I couldn't find any error message showing me that something was wrong (I looked into the metric.log and the splunkd.log of the forwarder).

Did I miss something?

Thank you in advance.

0 Karma
1 Solution

damien_chillet
Builder

In indexes.conf: (https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Indexesconf)

lastChanceIndex =
* Gives ability to define a last chance index for events destined for
non-existent indexes.
* If an event arrives whose index destination key points to an index that is
not configured (such as when using index= in the input stanza or
by a setting in a transform), it will route that event to the index specified
by this setting. The index destination key of that event will be overwritten
with the specified index name before routing.
* must name an existing enabled index. Splunk will not start if
this is not the case.
* If this setting is not defined or is empty, it will drop such events.
* If set to "default", then the default index specified by the
"defaultDatabase" will be used as a last chance index.
* Defaults to empty.

View solution in original post

kmorris_splunk
Splunk Employee
Splunk Employee

You should receive a message, something like "Received event for unconfigured/disabled/deleted index=" under Messages in your Search Head. The data will just get dropped when it hits the indexer(s).

Are you sending other data from the same forwarder? Verify that there are no firewalls blocking data from the forwarder.

All in all, you should either create the index manually or by installing any appropriate TAs (Add-ons) per that TAs documentation.

0 Karma

damien_chillet
Builder

In indexes.conf: (https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Indexesconf)

lastChanceIndex =
* Gives ability to define a last chance index for events destined for
non-existent indexes.
* If an event arrives whose index destination key points to an index that is
not configured (such as when using index= in the input stanza or
by a setting in a transform), it will route that event to the index specified
by this setting. The index destination key of that event will be overwritten
with the specified index name before routing.
* must name an existing enabled index. Splunk will not start if
this is not the case.
* If this setting is not defined or is empty, it will drop such events.
* If set to "default", then the default index specified by the
"defaultDatabase" will be used as a last chance index.
* Defaults to empty.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...