Getting Data In

After removing an index, how or where can I find the related input for removal?

Path Finder

In a QA environment, for testing purposes, I used the search head to create a new index (tim_test), and then added a simple input that read /var/log/messages once.

I then removed the index.

Now, understandably, I am getting the following error

Search peer sind1 has the following message: received event for unconfigured/disabled/deleted index='tim_testing' with source='source::/var/log/messages' host='host::sshd1' sourcetype='sourcetype::syslog' (1 missing total)

I can't seem to find the input to remove it. It was suggested I use btool to find it. Can someone help me with the syntax, or suggest another possible method?

0 Karma
1 Solution

Builder

Here is the btool command to see the list of inputs configuration
./splunk cmd btool inputs list --debug

You can delete in following ways

Option-1:
Goto Splunk web UI --> Settings--> Data inputs » Files & directories.
You can see the list of inputs files monitored... delete it from here

Option-2:
1. Execute: cd $SPLUNK_HOME/etc/
2. Execute: find . -name "inputs.conf" | grep -v default
3. In one of inputs.conf you will see your configuration

View solution in original post

Builder

Here is the btool command to see the list of inputs configuration
./splunk cmd btool inputs list --debug

You can delete in following ways

Option-1:
Goto Splunk web UI --> Settings--> Data inputs » Files & directories.
You can see the list of inputs files monitored... delete it from here

Option-2:
1. Execute: cd $SPLUNK_HOME/etc/
2. Execute: find . -name "inputs.conf" | grep -v default
3. In one of inputs.conf you will see your configuration

View solution in original post

Path Finder

Have you ever asked a question and then wanted to kick yourself when someone gives you the answer?

IT was exactly as you described and makes perfect sense, thanks.

Path Finder

Ok, thanks for the answer jayannah. That btool command does return data but nothing that indicates my specific input. Also, I do not find my input using Option 1, nor am I finding it in any of the returned paths via option 2. I'm looking for the input on the indexer, is this correct?

0 Karma

Path Finder

Looked on the forwarder (search head) as well. Nothing

0 Karma

Builder

You mentioned you have added the index and input splunk web on search head..right? So I'm assuming your search head and Indexer is same instance.

While adding, did you choose "Upload and index a file" or "Continuously index data from a file or directory this Splunk instance can access" or "Index a file once from this Splunk server" option??

0 Karma

Path Finder

Seperate instances for search head and indexer. I choose Index a file once.

0 Karma

Builder

If you have chosen index a file once , then you dont see the entry in inputs.conf as splunk doesn't need to monitor the files for further. You dont get in btool output aswell. This is the expected behavior.

But in the question you mentioned you have created index and added file at search head. Providing right question will fetch the answer quickly and right one.

Can you please restart splunk instances where you had created Index & added input file and let me know if u still getting the messages?

If this is still not working, then you need to clearly explain your topology and steps you have followed for configuration. Then easily we can help to fix your issue.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!