All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Microsoft Windows: Why am I getting error "received event for unconfigured/disabled/deleted index='sec_events'"?

weicai88
Path Finder
‎08-07-2015 02:13 PM

I have a distributed deployment and use a Universal Forwarder on Windows to get the event logs and performance information into indexers. After deploying the Splunk_TA_windows to the Windows client, the event log data comes into the indexers and get indexed to wineventlog just fine. However, I still get errors as below:

Search peer idx2 has the following message: received event for unconfigured/disabled/deleted index='sec_events' with source='source::Perfmon:Available Memory' host='host::Prod-TS1' sourcetype='sourcetype::Perfmon:Available Memory' (1 missing total) 8/7/2015, 3:40:29 PM

I checked both my indexers and forwarders, but could not find where the index "sec_events" came from. If you have any suggestions please let me know.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

weicai88
Path Finder
‎08-11-2015 10:28 AM

I noticed that even after I stopped the Forwarder, the errors still popped up so it didn't appear to be from the data source. I then restarted one of the three indexers and that cleared up all the errors.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

weicai88
Path Finder
‎08-11-2015 10:28 AM

I noticed that even after I stopped the Forwarder, the errors still popped up so it didn't appear to be from the data source. I then restarted one of the three indexers and that cleared up all the errors.

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎08-10-2015 04:59 AM

How are you checking your forwarders? Have you tried btool?

0 Karma
Reply
Solved! Jump to solution

weicai88
Path Finder
‎08-10-2015 11:30 AM

Jeff,

Yes, btool was what I used to search where the index came from on both the indexers and forwarder. "sec_events" is not present in the output.

Thanks,
Wei

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎08-10-2015 10:55 PM

You need to look at the inputs. This command

./splunk cmd btool inputs list --debug | grep sec_events

should show you which is the input in question and its location.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top