Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

_audit index remains disabled

Dark_Ichigo
Builder
‎10-26-2011 11:11 PM

Im always getting this error related to the internal _audit index in Splunk:

**received event for unconfigured/disabled index='_audit' with source='source::audittrail' host='host::myhost100' sourcetype='sourcetype::audittrail' (1 missing total)**

Iv tried to enable it but it remains disabled, any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Dark_Ichigo
Builder
‎11-27-2011 04:36 PM

I solved the problem by shutting down Splunkd, then deleting the _audit index manually from the CLI, after a Restart, the _audit Index was enabled again.

BTW... mmather67 you do have a point.

View solution in original post

Reply
Solved! Jump to solution
Solution

Dark_Ichigo
Builder
‎11-27-2011 04:36 PM

I solved the problem by shutting down Splunkd, then deleting the _audit index manually from the CLI, after a Restart, the _audit Index was enabled again.

BTW... mmather67 you do have a point.

Reply
Solved! Jump to solution

sdwilkerson
Contributor
‎11-27-2011 08:12 PM

Dark_Ichigo,
If you mean you removed the actual _audit index directory from $SPLUNK_DB, then there is a good chance that there was a duplicate bucket ID that was causing a conflict. An auto-disabled index is often the result of a duplicate bucket ID. There is no natural reason for a duplicate, unless of course you moved/migrated the index from another instance or did something else strange. See this recent post if this was the case: http://splunk-base.splunk.com/answers/34811/how-can-i-find-all-duplicate-bucket-ids-that-are-causing...

0 Karma
Reply
Solved! Jump to solution

mmather67
Path Finder
‎11-25-2011 07:51 AM

Look for the question "Why is my index disabled?" The answer is there.

PS I wish this site showed what year messages were written.

PPS I wish this site would get you to log in before starting to write an answer. As it is, if you are not already logged in, you write an answer and then lose it.

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...