Solved: After removing an index, how or where can I find t...

dolfantimmy · ‎01-05-2015

In a QA environment, for testing purposes, I used the search head to create a new index (tim_test), and then added a simple input that read /var/log/messages once.

I then removed the index.

Now, understandably, I am getting the following error

Search peer sind1 has the following message: received event for unconfigured/disabled/deleted index='tim_testing' with source='source::/var/log/messages' host='host::sshd1' sourcetype='sourcetype::syslog' (1 missing total)

I can't seem to find the input to remove it. It was suggested I use btool to find it. Can someone help me with the syntax, or suggest another possible method?

jayannah · ‎01-05-2015

Here is the btool command to see the list of inputs configuration
./splunk cmd btool inputs list --debug

You can delete in following ways

Option-1:
Goto Splunk web UI --> Settings--> Data inputs » Files & directories.
You can see the list of inputs files monitored... delete it from here

Option-2:
1. Execute: cd $SPLUNK_HOME/etc/
2. Execute: find . -name "inputs.conf" | grep -v default
3. In one of inputs.conf you will see your configuration

View solution in original post

jayannah · ‎01-05-2015

Here is the btool command to see the list of inputs configuration
./splunk cmd btool inputs list --debug

You can delete in following ways

Option-1:
Goto Splunk web UI --> Settings--> Data inputs » Files & directories.
You can see the list of inputs files monitored... delete it from here

Option-2:
1. Execute: cd $SPLUNK_HOME/etc/
2. Execute: find . -name "inputs.conf" | grep -v default
3. In one of inputs.conf you will see your configuration

dolfantimmy · ‎01-05-2015

Have you ever asked a question and then wanted to kick yourself when someone gives you the answer?

IT was exactly as you described and makes perfect sense, thanks.

dolfantimmy · ‎01-05-2015

Ok, thanks for the answer jayannah. That btool command does return data but nothing that indicates my specific input. Also, I do not find my input using Option 1, nor am I finding it in any of the returned paths via option 2. I'm looking for the input on the indexer, is this correct?

dolfantimmy · ‎01-05-2015

Looked on the forwarder (search head) as well. Nothing

jayannah · ‎01-05-2015

You mentioned you have added the index and input splunk web on search head..right? So I'm assuming your search head and Indexer is same instance.

While adding, did you choose "Upload and index a file" or "Continuously index data from a file or directory this Splunk instance can access" or "Index a file once from this Splunk server" option??

dolfantimmy · ‎01-05-2015

Seperate instances for search head and indexer. I choose Index a file once.

jayannah · ‎01-05-2015

If you have chosen index a file once , then you dont see the entry in inputs.conf as splunk doesn't need to monitor the files for further. You dont get in btool output aswell. This is the expected behavior.

But in the question you mentioned you have created index and added file at search head. Providing right question will fetch the answer quickly and right one.

Can you please restart splunk instances where you had created Index & added input file and let me know if u still getting the messages?

If this is still not working, then you need to clearly explain your topology and steps you have followed for configuration. Then easily we can help to fix your issue.

After removing an index, how or where can I find the related input for removal?

Index This | How many sides does a circle have?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?