Warning Message: Received event for unconfigured/disabled index


We recently upgraded to 4.2.2. Since the upgrade - we've been receiving yellow warning messages at the top of the Splunk Web screen (text changed):

Search peer "indexer1" has the following message: received event for unconfigured/disabled index='foo' with source='source::C:\foo.log' host='host::foo' sourcetype='sourcetype::foo-too_small' (1 missing total)

We noticed that the index name was spelled incorrectly, and have since fixed the problem. Now, 24 hours later, we can't get the error/warn message to go away on our 3 search heads. We've restarted the search heads multiple times and no luck, it's still there.

Can anyone provide any information on how to get rid of this?


Tags (3)
0 Karma


We have solved this problem by creating an index(with same name) in the server which we forwarding datas from unversal forwader.


THANKS it worked as u suggested...

0 Karma

Path Finder

We had similar problem, which we diagnosed and fixed. Now, the UF is no longer sending events to the wrong Indexer/Index.

BUT... We would LIKE to get rid of the error banner on the Search Head WITHOUT restarting Splunk on the Indexer(s). Our Indexers are running 4.2.5-113966, so I'm hoping things have changed such that we CAN nuke the error banner, but avoid bouncing Splunk on the Indexers.

Is it possible???


0 Karma


You will have to restart the splunkd on the Indexers too.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!