All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Microsoft Windows: Why am I getting error "received event for unconfigured/disabled/deleted index='sec_events'"?

weicai88
Path Finder
‎08-07-2015 02:13 PM

I have a distributed deployment and use a Universal Forwarder on Windows to get the event logs and performance information into indexers. After deploying the Splunk_TA_windows to the Windows client, the event log data comes into the indexers and get indexed to wineventlog just fine. However, I still get errors as below:

Search peer idx2 has the following message: received event for unconfigured/disabled/deleted index='sec_events' with source='source::Perfmon:Available Memory' host='host::Prod-TS1' sourcetype='sourcetype::Perfmon:Available Memory' (1 missing total) 8/7/2015, 3:40:29 PM

I checked both my indexers and forwarders, but could not find where the index "sec_events" came from. If you have any suggestions please let me know.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

weicai88
Path Finder
‎08-11-2015 10:28 AM

I noticed that even after I stopped the Forwarder, the errors still popped up so it didn't appear to be from the data source. I then restarted one of the three indexers and that cleared up all the errors.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

weicai88
Path Finder
‎08-11-2015 10:28 AM

I noticed that even after I stopped the Forwarder, the errors still popped up so it didn't appear to be from the data source. I then restarted one of the three indexers and that cleared up all the errors.

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎08-10-2015 04:59 AM

How are you checking your forwarders? Have you tried btool?

0 Karma
Reply
Solved! Jump to solution

weicai88
Path Finder
‎08-10-2015 11:30 AM

Jeff,

Yes, btool was what I used to search where the index came from on both the indexers and forwarder. "sec_events" is not present in the output.

Thanks,
Wei

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎08-10-2015 10:55 PM

You need to look at the inputs. This command

./splunk cmd btool inputs list --debug | grep sec_events

should show you which is the input in question and its location.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...