- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to remove "received event for unconfigured/dis...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Due to some mistake, I am getting this messages:
received event for unconfigured/disabled/deleted index='2013-03-10 19:53:34_stats' with source='DatabaseQueryMonitor' host='host::Counts@PROD' sourcetype='sourcetype::appman:ExecutionTimems=' (1 missing total
How can I tell Splunk> to ge rid of this message. Clicking on the X in the web-interface does not help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue is related to Windows. The log files is still being updated while Splunk wants to read it. The log file is created by a PHP script started every 30 minutes.
In my inputs.conf I added:
ignoreOlderThan = 240m
alwaysOpenFile = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I know this is a few months old, but I am rather curious as to whether or not the OP had determined a way to suppress the warning message about the missing index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Me too. Any updates?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue is related to Windows. The log files is still being updated while Splunk wants to read it. The log file is created by a PHP script started every 30 minutes.
In my inputs.conf I added:
ignoreOlderThan = 240m
alwaysOpenFile = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the issue is not the input. but the application that supplied the data to the forwarder. I want to ignore this message. It is fixed now, but i still get the messages. Is Splunk Forwarder keeping these messages on his local queue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is one of your data sources, probably on a forwarder, is trying to send data to an index you don't have set up. The messages are telling you that they are being dropped so you are losing data. To fix this, you need to either edit the inputs.conf on the forwarder to point to a valid index, or create the index it is trying to send to on your indexer/s.
It is possible, though less likely, you have a faulty transforms.conf on your indexer that is trying to redirect it to an invalid index.
If you can't find the problem yourself, send an email to support@splunk.com and they will be able to find the error.
Bob
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the issue is not the input. but the application that supplied the data to the forwarder. I want to ignore this message. It is fixed now, but i still get the messages. Is Splunk Forwarder keeping these messages on his local queue?
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
