Archive

Warning Message: Received event for unconfigured/disabled index

gleblanc1783
Engager

We recently upgraded to 4.2.2. Since the upgrade - we've been receiving yellow warning messages at the top of the Splunk Web screen (text changed):

Search peer "indexer1" has the following message: received event for unconfigured/disabled index='foo' with source='source::C:\foo.log' host='host::foo' sourcetype='sourcetype::foo-too_small' (1 missing total)

We noticed that the index name was spelled incorrectly, and have since fixed the problem. Now, 24 hours later, we can't get the error/warn message to go away on our 3 search heads. We've restarted the search heads multiple times and no luck, it's still there.

Can anyone provide any information on how to get rid of this?

Thanks!

Tags (3)
0 Karma

john
Communicator

We have solved this problem by creating an index(with same name) in the server which we forwarding datas from unversal forwader.

neelamssantosh
Contributor

THANKS it worked as u suggested...

0 Karma

mfeeny1
Path Finder

We had similar problem, which we diagnosed and fixed. Now, the UF is no longer sending events to the wrong Indexer/Index.

BUT... We would LIKE to get rid of the error banner on the Search Head WITHOUT restarting Splunk on the Indexer(s). Our Indexers are running 4.2.5-113966, so I'm hoping things have changed such that we CAN nuke the error banner, but avoid bouncing Splunk on the Indexers.

Is it possible???

Thx,
mfeeny1

0 Karma

gekoner
Communicator

You will have to restart the splunkd on the Indexers too.

0 Karma