Archive
Highlighted

How do I block GUI messages about missing indexes?

Influencer

Since 7.3 the missing indexes message below goes to all my users causing many panicked questions about Splunk being down. How can I block this message? I don't see any stanza in default/messages.conf that matches this verbiage.

Search peer indx01 has the following message: Received event for unconfigured/disabled/deleted index=indexname with source="source::vmstat" host="hostname" sourcetype="sourcetype::vmstat". So far received events from 1 missing index
0 Karma
Highlighted

Re: How do I block GUI messages about missing indexes?

SplunkTrust
SplunkTrust

Hello twinspop,
Unfortunately, I do not think there is any way to control which users see these messages. you could resolve this issue either by creating a new index or by disabling the monitor inputs causing those messages.

0 Karma
Highlighted

Re: How do I block GUI messages about missing indexes?

Influencer

Well that sucks. Thanks for the confirmation. Without direct control over the thousands of forwarders sending to my indexers, I guess I'm just boned.

0 Karma
Highlighted

Re: How do I block GUI messages about missing indexes?

SplunkTrust
SplunkTrust

well you could try @jacobevans solution. and see if it helps!

0 Karma
Highlighted

Re: How do I block GUI messages about missing indexes?

Motivator

Hi @twinspop,

Edit: According to @martin_mueller here, you can just go to Settings > User Interface > Bulletin messages to configure stuff like this (new to me). However, I see nothing personally when I go there.

While I do not agree with this approach, if you really want to do this, could you try this search (replace the third part with your error message or a part of it). Keep in mind that I am guessing because I would never do this in my own environment.

index=_internal sourcetype=splunkd [index=indexname]

From there, on your search head (wherever users access Splunk), you should get an extracted component field and log_level field. From there, go to Settings > Server Settings > Server Logging and click the derived component from previously. You can change the log level of that component (only show FATAL, CRIT, ERROR, WARN, INFO, DEBUG and greater). That might suppress the warnings showed to the users if they are based on the splunkd logs.

Cheers,
Jacob
0 Karma