How can I clear this message showing at the top of the search splunk interface?
Search peer su1-splunk-indexer02 has the following message: received event for unconfigured/disabled index='risops' with source='source::/data/kill_logs/current.log' host='host::su1-hacks10.wowadmin.net' sourcetype='sourcetype::shadowwatch' (1 missing total)
The easiest way would be to create an index called risops - it's basically telling you it's missing an index that it received and event for.
Other then that, you could fix the offending forwarder to send it to another index.
Thanks for responding, but I just want to clear the message. I've already updated the inputs.conf to not use that index. The underlining issue is resolved, but I still see this message at the top of the interface, I just want to know how to remove the message.