Since 7.3 the missing indexes message below goes to all my users causing many panicked questions about Splunk being down. How can I block this message? I don't see any stanza in default/messages.conf that matches this verbiage.
Search peer indx01 has the following message: Received event for unconfigured/disabled/deleted index=indexname with source="source::vmstat" host="hostname" sourcetype="sourcetype::vmstat". So far received events from 1 missing index
Hi @twinspop,
Settings > User Interface > Bulletin messages
to configure stuff like this (new to me). However, I see nothing personally when I go there.While I do not agree with this approach, if you really want to do this, could you try this search (replace the third part with your error message or a part of it). Keep in mind that I am guessing because I would never do this in my own environment.
index=_internal sourcetype=splunkd [index=indexname]
From there, on your search head (wherever users access Splunk), you should get an extracted component
field and log_level
field. From there, go to Settings > Server Settings > Server Logging
and click the derived component
from previously. You can change the log level of that component (only show FATAL, CRIT, ERROR, WARN, INFO, DEBUG and greater). That might suppress the warnings showed to the users if they are based on the splunkd logs.
Hello twinspop,
Unfortunately, I do not think there is any way to control which users see these messages. you could resolve this issue either by creating a new index or by disabling the monitor inputs causing those messages.
Well that sucks. Thanks for the confirmation. Without direct control over the thousands of forwarders sending to my indexers, I guess I'm just boned.
well you could try @jacobevans solution. and see if it helps!