Search peer xxxxxxxxxx has the following message:
Received event for unconfigured/disabled/deleted index=wineventlog with source="source::WinEventLog:Security" host="host::clientxxxx" sourcetype="sourcetype::WinEventLog:Security". So far received events from 1 missing index(es). 25/10/2016 14:04:25
My input.conf
[WinEventLog://Security]
disabled=0
index=webservices_windows
blacklist1=5156,4658,4672,5158,4648,4663,4776,4634,4656,5157
blacklist2 = EventCode="4624" Message="Account\sName:[\s\S]+-[\s\S]+Logon\sType\:[\s\t]+3[\s\S]+Account\sName:[\s\t]+[^\$]+\$"
checkpointInterval=5
current_only=1
[install]
state = enabled
[tcpout]
defaultGroup = ue-autolb-group
useACK = true
[tcpout:ue-autolb-group]
server = 00.000.00.000:9991, 00.000.00.000:9991, 00.000.00.000:9991
autoLB = true
please help deployment server correct same as indexers.
The above configurations should not be in your indexes.conf file. The first part should be in inputs and the second part outputs. You should also have an indexes.conf file which contains the settings for your index webservices_windows. If you have done all of this, where are all of these conf files residing?
The above configurations should not be in your indexes.conf file. The first part should be in inputs and the second part outputs. You should also have an indexes.conf file which contains the settings for your index webservices_windows. If you have done all of this, where are all of these conf files residing?
splunk2@deployment_servername$ cat /opt/splunk/etc/deployment-apps/forward_webservices/default/inputs.conf
[WinEventLog://Security]
disabled=0
index=webservices_windows
blacklist1=5156,4658,4672,5158,4648,4663,4776,4634,4656,5157
blacklist2 = EventCode="4624" Message="Account\sName:[\s\S]+-[\s\S]+Logon\sType:[\s\t]+3[\s\S]+Account\sName:[\s\t]+[^\$]+\$"
checkpointInterval=5
current_only=1