I'm receiving the following message on my Splunk Indexer:
Received event for unconfigured/disabled/deleted index=wineventlog with source="source::WinEventLog:System" host="host::xxx" sourcetype="sourcetype::WinEventLog:System". So far received events from 1 missing index(es).
I've seen the same question posted and resolved in many forums by simply adding the wineventlog index since it doesn't exist by default. However, that does not seem to work for me and I'm sure I'm missing something obvious.
My forwarder is forwarding custom logs, it just will not forward Windows event logs because of the above error. This is what I have in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf :
[WinEventLog://Security]
disabled = 0
[monitor://C:\Program Files (x86)\Entrust\VerificationServer\logs\webservices.log]
disabled = false
If I modify it to explicitly use the main index as below, the event logs come through without any issues:
[WinEventLog://Security]
disabled = 0
index=main
[monitor://C:\Program Files (x86)\Entrust\VerificationServer\logs\webservices.log]
disabled = false
In both cases, my monitored log (webservices.log) gets forwarded successfully.
Using the GUI, I created a Search & Reporting index called wineventlog, restarted both the indexer and forwarder, but nothing comes through. It set the contents of my etc/apps/search/local/indexes.conf file to the following:
[wineventlog]
coldPath = $SPLUNK_DB/wineventlog/colddb
homePath = $SPLUNK_DB/wineventlog/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/wineventlog/thaweddb
I've also tried selecting Distributed Management Console, Home and App Browser under the "App" type when creating the index instead of Search & Reporting, but they all have the same behaviour.
My question is, is there anything else I need to do in order to get my indexer to use this index?
... View more