We recently upgraded to 4.2.2. Since the upgrade - we've been receiving yellow warning messages at the top of the Splunk Web screen (text changed):
Search peer "indexer1" has the following message: received event for unconfigured/disabled index='foo' with source='source::C:\foo.log' host='host::foo' sourcetype='sourcetype::foo-too_small' (1 missing total)
We noticed that the index name was spelled incorrectly, and have since fixed the problem. Now, 24 hours later, we can't get the error/warn message to go away on our 3 search heads. We've restarted the search heads multiple times and no luck, it's still there.
Can anyone provide any information on how to get rid of this?
Thanks!
We have solved this problem by creating an index(with same name) in the server which we forwarding datas from unversal forwader.
THANKS it worked as u suggested...
We had similar problem, which we diagnosed and fixed. Now, the UF is no longer sending events to the wrong Indexer/Index.
BUT... We would LIKE to get rid of the error banner on the Search Head WITHOUT restarting Splunk on the Indexer(s). Our Indexers are running 4.2.5-113966, so I'm hoping things have changed such that we CAN nuke the error banner, but avoid bouncing Splunk on the Indexers.
Is it possible???
Thx,
mfeeny1
You will have to restart the splunkd on the Indexers too.