Getting Data In

How to fix an error "Received event for unconfigured/disabled/deleted index=wineventlog" on a search peer?

New Member

Search peer xxxxxxxxxx has the following message:

Received event for unconfigured/disabled/deleted index=wineventlog with source="source::WinEventLog:Security" host="host::clientxxxx" sourcetype="sourcetype::WinEventLog:Security". So far received events from 1 missing index(es). ‎25‎/‎10‎/‎2016‎ ‎14‎:‎04‎:‎25

My input.conf

[WinEventLog://Security]
disabled=0
index=webservices_windows
blacklist1=5156,4658,4672,5158,4648,4663,4776,4634,4656,5157
blacklist2 = EventCode="4624" Message="Account\sName:[\s\S]+-[\s\S]+Logon\sType\:[\s\t]+3[\s\S]+Account\sName:[\s\t]+[^\$]+\$"
checkpointInterval=5
current_only=1 
[install]
state = enabled 

[tcpout]
defaultGroup = ue-autolb-group
useACK = true
[tcpout:ue-autolb-group]
server = 00.000.00.000:9991, 00.000.00.000:9991, 00.000.00.000:9991
autoLB = true 

please help deployment server correct same as indexers.

0 Karma
1 Solution

Contributor

The above configurations should not be in your indexes.conf file. The first part should be in inputs and the second part outputs. You should also have an indexes.conf file which contains the settings for your index webservices_windows. If you have done all of this, where are all of these conf files residing?

View solution in original post

0 Karma

Contributor

The above configurations should not be in your indexes.conf file. The first part should be in inputs and the second part outputs. You should also have an indexes.conf file which contains the settings for your index webservices_windows. If you have done all of this, where are all of these conf files residing?

View solution in original post

0 Karma

New Member

splunk2@deployment_servername$ cat /opt/splunk/etc/deployment-apps/forward_webservices/default/inputs.conf
[WinEventLog://Security]
disabled=0
index=webservices_windows
blacklist1=5156,4658,4672,5158,4648,4663,4776,4634,4656,5157
blacklist2 = EventCode="4624" Message="Account\sName:[\s\S]+-[\s\S]+Logon\sType:[\s\t]+3[\s\S]+Account\sName:[\s\t]+[^\$]+\$"
checkpointInterval=5
current_only=1

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!