Getting Data In

After removing an index, how or where can I find the related input for removal?

dolfantimmy
Path Finder

In a QA environment, for testing purposes, I used the search head to create a new index (tim_test), and then added a simple input that read /var/log/messages once.

I then removed the index.

Now, understandably, I am getting the following error

Search peer sind1 has the following message: received event for unconfigured/disabled/deleted index='tim_testing' with source='source::/var/log/messages' host='host::sshd1' sourcetype='sourcetype::syslog' (1 missing total)

I can't seem to find the input to remove it. It was suggested I use btool to find it. Can someone help me with the syntax, or suggest another possible method?

0 Karma
1 Solution

jayannah
Builder

Here is the btool command to see the list of inputs configuration
./splunk cmd btool inputs list --debug

You can delete in following ways

Option-1:
Goto Splunk web UI --> Settings--> Data inputs » Files & directories.
You can see the list of inputs files monitored... delete it from here

Option-2:
1. Execute: cd $SPLUNK_HOME/etc/
2. Execute: find . -name "inputs.conf" | grep -v default
3. In one of inputs.conf you will see your configuration

View solution in original post

jayannah
Builder

Here is the btool command to see the list of inputs configuration
./splunk cmd btool inputs list --debug

You can delete in following ways

Option-1:
Goto Splunk web UI --> Settings--> Data inputs » Files & directories.
You can see the list of inputs files monitored... delete it from here

Option-2:
1. Execute: cd $SPLUNK_HOME/etc/
2. Execute: find . -name "inputs.conf" | grep -v default
3. In one of inputs.conf you will see your configuration

dolfantimmy
Path Finder

Have you ever asked a question and then wanted to kick yourself when someone gives you the answer?

IT was exactly as you described and makes perfect sense, thanks.

dolfantimmy
Path Finder

Ok, thanks for the answer jayannah. That btool command does return data but nothing that indicates my specific input. Also, I do not find my input using Option 1, nor am I finding it in any of the returned paths via option 2. I'm looking for the input on the indexer, is this correct?

0 Karma

dolfantimmy
Path Finder

Looked on the forwarder (search head) as well. Nothing

0 Karma

jayannah
Builder

You mentioned you have added the index and input splunk web on search head..right? So I'm assuming your search head and Indexer is same instance.

While adding, did you choose "Upload and index a file" or "Continuously index data from a file or directory this Splunk instance can access" or "Index a file once from this Splunk server" option??

0 Karma

dolfantimmy
Path Finder

Seperate instances for search head and indexer. I choose Index a file once.

0 Karma

jayannah
Builder

If you have chosen index a file once , then you dont see the entry in inputs.conf as splunk doesn't need to monitor the files for further. You dont get in btool output aswell. This is the expected behavior.

But in the question you mentioned you have created index and added file at search head. Providing right question will fetch the answer quickly and right one.

Can you please restart splunk instances where you had created Index & added input file and let me know if u still getting the messages?

If this is still not working, then you need to clearly explain your topology and steps you have followed for configuration. Then easily we can help to fix your issue.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...