Since 7.3 the missing indexes message below goes to all my users causing many panicked questions about Splunk being down. How can I block this message? I don't see any stanza in default/messages.conf that matches this verbiage.
Search peer indx01 has the following message: Received event for unconfigured/disabled/deleted index=indexname with source="source::vmstat" host="hostname" sourcetype="sourcetype::vmstat". So far received events from 1 missing index
Unfortunately, I do not think there is any way to control which users see these messages. you could resolve this issue either by creating a new index or by disabling the monitor inputs causing those messages.
Well that sucks. Thanks for the confirmation. Without direct control over the thousands of forwarders sending to my indexers, I guess I'm just boned.
Settings > User Interface > Bulletin messagesto configure stuff like this (new to me). However, I see nothing personally when I go there.
While I do not agree with this approach, if you really want to do this, could you try this search (replace the third part with your error message or a part of it). Keep in mind that I am guessing because I would never do this in my own environment.
index=_internal sourcetype=splunkd [index=indexname]
From there, on your search head (wherever users access Splunk), you should get an extracted
component field and
log_level field. From there, go to
Settings > Server Settings > Server Logging and click the derived
component from previously. You can change the log level of that component (only show FATAL, CRIT, ERROR, WARN, INFO, DEBUG and greater). That might suppress the warnings showed to the users if they are based on the splunkd logs.