Getting Data In

After removing an index, how or where can I find the related input for removal?

dolfantimmy
Path Finder

In a QA environment, for testing purposes, I used the search head to create a new index (tim_test), and then added a simple input that read /var/log/messages once.

I then removed the index.

Now, understandably, I am getting the following error

Search peer sind1 has the following message: received event for unconfigured/disabled/deleted index='tim_testing' with source='source::/var/log/messages' host='host::sshd1' sourcetype='sourcetype::syslog' (1 missing total)

I can't seem to find the input to remove it. It was suggested I use btool to find it. Can someone help me with the syntax, or suggest another possible method?

0 Karma
1 Solution

jayannah
Builder

Here is the btool command to see the list of inputs configuration
./splunk cmd btool inputs list --debug

You can delete in following ways

Option-1:
Goto Splunk web UI --> Settings--> Data inputs » Files & directories.
You can see the list of inputs files monitored... delete it from here

Option-2:
1. Execute: cd $SPLUNK_HOME/etc/
2. Execute: find . -name "inputs.conf" | grep -v default
3. In one of inputs.conf you will see your configuration

View solution in original post

jayannah
Builder

Here is the btool command to see the list of inputs configuration
./splunk cmd btool inputs list --debug

You can delete in following ways

Option-1:
Goto Splunk web UI --> Settings--> Data inputs » Files & directories.
You can see the list of inputs files monitored... delete it from here

Option-2:
1. Execute: cd $SPLUNK_HOME/etc/
2. Execute: find . -name "inputs.conf" | grep -v default
3. In one of inputs.conf you will see your configuration

dolfantimmy
Path Finder

Have you ever asked a question and then wanted to kick yourself when someone gives you the answer?

IT was exactly as you described and makes perfect sense, thanks.

dolfantimmy
Path Finder

Ok, thanks for the answer jayannah. That btool command does return data but nothing that indicates my specific input. Also, I do not find my input using Option 1, nor am I finding it in any of the returned paths via option 2. I'm looking for the input on the indexer, is this correct?

0 Karma

dolfantimmy
Path Finder

Looked on the forwarder (search head) as well. Nothing

0 Karma

jayannah
Builder

You mentioned you have added the index and input splunk web on search head..right? So I'm assuming your search head and Indexer is same instance.

While adding, did you choose "Upload and index a file" or "Continuously index data from a file or directory this Splunk instance can access" or "Index a file once from this Splunk server" option??

0 Karma

dolfantimmy
Path Finder

Seperate instances for search head and indexer. I choose Index a file once.

0 Karma

jayannah
Builder

If you have chosen index a file once , then you dont see the entry in inputs.conf as splunk doesn't need to monitor the files for further. You dont get in btool output aswell. This is the expected behavior.

But in the question you mentioned you have created index and added file at search head. Providing right question will fetch the answer quickly and right one.

Can you please restart splunk instances where you had created Index & added input file and let me know if u still getting the messages?

If this is still not working, then you need to clearly explain your topology and steps you have followed for configuration. Then easily we can help to fix your issue.

Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...