https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306948#M5220 <P>I am getting messages (in the messages section, not in Splunkd) that:</P> <PRE><CODE>Search peer idxX.XXX has the following message: Received event for unconfigured/disabled/deleted index=XXX with source=XXX host=XXX sourcetype="sourcetype::syslog_nohost". So far received events from 1 missing index(es). </CODE></PRE> <P>I am having trouble isolating which sources are causing the trouble. I know that Splunk is binning these messages, and I have looked in _internal but am not able to get any further info on these. Are there any logs to see anything further about them? If I could graph the frequency of the messages over time to be able to determine when it started, it would be a help.</P> Mon, 22 May 2017 14:58:12 GMT lennys26 2017-05-22T14:58:12Z https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306948#M5220 <P>I am getting messages (in the messages section, not in Splunkd) that:</P> <PRE><CODE>Search peer idxX.XXX has the following message: Received event for unconfigured/disabled/deleted index=XXX with source=XXX host=XXX sourcetype="sourcetype::syslog_nohost". So far received events from 1 missing index(es). </CODE></PRE> <P>I am having trouble isolating which sources are causing the trouble. I know that Splunk is binning these messages, and I have looked in _internal but am not able to get any further info on these. Are there any logs to see anything further about them? If I could graph the frequency of the messages over time to be able to determine when it started, it would be a help.</P> Mon, 22 May 2017 14:58:12 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306948#M5220 lennys26 2017-05-22T14:58:12Z https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306949#M5221 <P>Hello,</P> <P>I did a quick test (Splunk version 6.2.1): </P> <P>On messages I got:</P> <PRE><CODE>received event for unconfigured/disabled/deleted index='lost_index' with source='source::/tmp/test' host='host::localhost.localdomain' sourcetype='sourcetype::anything' (1 missing total) </CODE></PRE> <P>On splunkd.log (/opt/splunk/var/log/splunk/splunkd.log):</P> <PRE><CODE>05-22-2017 17:30:43.276 +0200 WARN IndexProcessor - received event for unconfigured/disabled/deleted index='lost_index' with source='source::/tmp/test' host='host::localhost.localdomain' sourcetype='sourcetype::anything' (1 missing total) </CODE></PRE> <P>Regards</P> Mon, 22 May 2017 15:38:03 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306949#M5221 aakwah 2017-05-22T15:38:03Z https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306950#M5222 <P>Hello @lennys26<BR /> the source for this error is that you have 1 or more inputs.conf that specifies an index that does not exist (or enabled) on your indexer.<BR /> you can look in inputs.conf using btool and see where in inputs.conf you have that index (that does not exist) specified.<BR /> more here: <A href="https://docs.splunk.com/Documentation/Splunk/6.6.0/Troubleshooting/Usebtooltotroubleshootconfigurations">https://docs.splunk.com/Documentation/Splunk/6.6.0/Troubleshooting/Usebtooltotroubleshootconfigurations</A><BR /> you can look for the first event by searching text literally and then piping to reverse <CODE>... | reverse</CODE> to see first event (play with time picker here)<BR /> or you can pipe to timechart count <CODE>... | timechart count</CODE> and see a graph of error counts over time.<BR /> hope it helps</P> Mon, 22 May 2017 15:39:06 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306950#M5222 adonio 2017-05-22T15:39:06Z https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306951#M5223 <P>Hi @aakwah -- I would have expected to find those messages, however do not see anything at all related to my alerts. I have expanded to all of _internal and don't see anything. I wonder if it is because I am in Cloud, that the logs are missing...</P> Mon, 22 May 2017 15:47:58 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306951#M5223 lennys26 2017-05-22T15:47:58Z https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306952#M5224 <P>are you an admin?<BR /> only admins has access to _internal indexes<BR /> also, being on cloud, I suspect you need a ticket for new index so maybe that index was yet to created by Cloud operation team</P> Mon, 22 May 2017 15:51:51 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306952#M5224 adonio 2017-05-22T15:51:51Z https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306953#M5225 <P>Hi @adonio -- Thanks. These are coming from our app client so my dev team is looking for a bit of info as to which one/version/platform/etc. Anything from the raw log that could give us a pointer. Even if we could trim this to a time of day or starting date we could match it to a release schedule or something.</P> <P>I have done a pure text search across all of _internal and see nothing at all which is not what I would expect, unless this is because I am in Splunk Cloud...</P> Mon, 22 May 2017 15:54:15 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306953#M5225 lennys26 2017-05-22T15:54:15Z https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306954#M5226 <P>@lennys26 I did the test on my lab, I've no idea how Splunk cloud handling these logs</P> Mon, 22 May 2017 16:13:12 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306954#M5226 aakwah 2017-05-22T16:13:12Z https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306955#M5227 <P>This log is notoriously nondescript and the best way to get complete detail is to configure a <CODE>LAST_CHANCE_INDEX</CODE>:</P> <P><A href="http://www.smtware.com/en/splunk/splunk-your-last-chance">http://www.smtware.com/en/splunk/splunk-your-last-chance</A></P> Mon, 22 May 2017 18:28:35 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306955#M5227 woodcock 2017-05-22T18:28:35Z https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306956#M5228 <P>@Woodcock - A couple of ways around this .... creating the <CODE>LAST_CHANCE_INDEX</CODE> is a good overall solution. Also, I guess I could have just created the missing index in my case and captured/analyzed the data (DOH!). Thx.</P> Tue, 23 May 2017 07:53:25 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306956#M5228 lennys26 2017-05-23T07:53:25Z https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306957#M5229 <P>I configure it for <CODE>main</CODE> and then only use <CODE>main</CODE> for testing in production. In other words, there should NEVER be anything in <CODE>main</CODE>, and if there is, it means that somebody goofed.</P> Mon, 23 Oct 2017 23:54:24 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-find-more-detail-on-error-quot-Received-event-for/m-p/306957#M5229 woodcock 2017-10-23T23:54:24Z