Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

_audit index remains disabled

Dark_Ichigo
Builder
‎10-26-2011 11:11 PM

Im always getting this error related to the internal _audit index in Splunk:

**received event for unconfigured/disabled index='_audit' with source='source::audittrail' host='host::myhost100' sourcetype='sourcetype::audittrail' (1 missing total)**

Iv tried to enable it but it remains disabled, any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Dark_Ichigo
Builder
‎11-27-2011 04:36 PM

I solved the problem by shutting down Splunkd, then deleting the _audit index manually from the CLI, after a Restart, the _audit Index was enabled again.

BTW... mmather67 you do have a point.

View solution in original post

Reply
Solved! Jump to solution
Solution

Dark_Ichigo
Builder
‎11-27-2011 04:36 PM

I solved the problem by shutting down Splunkd, then deleting the _audit index manually from the CLI, after a Restart, the _audit Index was enabled again.

BTW... mmather67 you do have a point.

Reply
Solved! Jump to solution

sdwilkerson
Contributor
‎11-27-2011 08:12 PM

Dark_Ichigo,
If you mean you removed the actual _audit index directory from $SPLUNK_DB, then there is a good chance that there was a duplicate bucket ID that was causing a conflict. An auto-disabled index is often the result of a duplicate bucket ID. There is no natural reason for a duplicate, unless of course you moved/migrated the index from another instance or did something else strange. See this recent post if this was the case: http://splunk-base.splunk.com/answers/34811/how-can-i-find-all-duplicate-bucket-ids-that-are-causing...

0 Karma
Reply
Solved! Jump to solution

mmather67
Path Finder
‎11-25-2011 07:51 AM

Look for the question "Why is my index disabled?" The answer is there.

PS I wish this site showed what year messages were written.

PPS I wish this site would get you to log in before starting to write an answer. As it is, if you are not already logged in, you write an answer and then lose it.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...