- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- "Received event for unconfigured/disabled/deleted
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Received event for unconfigured/disabled/deleted
Hi All,
"Received event for unconfigured/disabled/deleted "
Facing the above message from number of host with different index names.
As logs are getting from unknown UF to indexer, how to stop these messages without creating indexes ?
Thanks
Rakesh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have two different issues here.
1) An unknown UF is sending information, which your indexers are attempting to index.
2) Your indexers are determining that that data should be in an index that does not exist.
Each of these is a configuration issue.
In order for your indexer to be determining that the events should be placed in a nonexistent index, there generally must be a configuration ON THAT INDEXER that sends them there. Find that configuration and fix it.
If there is no configuration on the indexer that sends data to that index, then you have a heavy forwarder half-cooking the data and sending to the indexers. If there are heavy forwarders in your overall system configuration, that is the place to look for the issue.
Finally, if that UF is completely rogue and the data is not useful, then you can just route all data from that UF to the null queue.
Just create a stanza for that UF/host as per this doc:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If you want to ingest those data and if you do not want to create new indexes then you can use below settings in indexes.conf on Indexer to ingest data in predefined existing index if index does not exist in which forwarder wants to ingest data, only drawback is every forwarders which tries to ingest data in unconfigured/disabled/deleted index will end up in same index and if you want to provide different forwarder data access to different users then it will not possible on Search Head with index level access because all such type of forwarders will send data into same index.
lastChanceIndex = <index name>
* Gives ability to define a last chance index for events destined for
non-existent indexes.
* If an event arrives whose index destination key points to an index that is
not configured (such as when using index=<index name> in the input stanza or
by a setting in a transform), it will route that event to the index specified
by this setting. The index destination key of that event will be overwritten
with the specified index name before routing.
* <index name> must name an existing enabled index. Splunk will not start if
this is not the case.
* If this setting is not defined or is empty, it will drop such events.
* If set to "default", then the default index specified by the
"defaultDatabase" will be used as a last chance index.
* Defaults to empty.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try disabling input and restart splunk service on forwarders?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Gurav for response.
User used to forward from UF which is installed at their system its unknown host for me.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
