All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Microsoft Windows: Why am I getting error "received event for unconfigured/disabled/deleted index='sec_events'"?

weicai88
Path Finder
‎08-07-2015 02:13 PM

I have a distributed deployment and use a Universal Forwarder on Windows to get the event logs and performance information into indexers. After deploying the Splunk_TA_windows to the Windows client, the event log data comes into the indexers and get indexed to wineventlog just fine. However, I still get errors as below:

Search peer idx2 has the following message: received event for unconfigured/disabled/deleted index='sec_events' with source='source::Perfmon:Available Memory' host='host::Prod-TS1' sourcetype='sourcetype::Perfmon:Available Memory' (1 missing total) 8/7/2015, 3:40:29 PM

I checked both my indexers and forwarders, but could not find where the index "sec_events" came from. If you have any suggestions please let me know.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

weicai88
Path Finder
‎08-11-2015 10:28 AM

I noticed that even after I stopped the Forwarder, the errors still popped up so it didn't appear to be from the data source. I then restarted one of the three indexers and that cleared up all the errors.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

weicai88
Path Finder
‎08-11-2015 10:28 AM

I noticed that even after I stopped the Forwarder, the errors still popped up so it didn't appear to be from the data source. I then restarted one of the three indexers and that cleared up all the errors.

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎08-10-2015 04:59 AM

How are you checking your forwarders? Have you tried btool?

0 Karma
Reply
Solved! Jump to solution

weicai88
Path Finder
‎08-10-2015 11:30 AM

Jeff,

Yes, btool was what I used to search where the index came from on both the indexers and forwarder. "sec_events" is not present in the output.

Thanks,
Wei

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎08-10-2015 10:55 PM

You need to look at the inputs. This command

./splunk cmd btool inputs list --debug | grep sec_events

should show you which is the input in question and its location.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...