Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Re: What happens when the forwarder is configured to send data to a non-existent index?

JTS911
Explorer
‎03-03-2025 11:44 PM

Hi All 

I get this message but the indexes does exist, not permanent , it happens at 01:00 in the morning some days 

Search peer idx-03 has the following message: Received event for unconfigured/disabled/deleted index=mtrc_os_<XXX> with source="source::Storage Nix Metrics" host="host::splunk-sh-02" sourcetype="sourcetype::mcollect_stash". Dropping them as lastChanceIndex setting in indexes.conf is not configured. So far received events from 18 missing index(es).3/4/2025, 1:00:34 AM

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-04-2025 04:27 AM

Since your post was a reply to a very old thread I moved it into its own thread for greater visibility (old thread for reference - https://community.splunk.com/t5/Getting-Data-In/What-happens-when-the-forwarder-is-configured-to-sen... )

And to your question - the error is a result of a search running mcollect command. By host naming I suppose you have distributed architecture. Are you sure you have properly configured data routing? Your events generated on SHs should be properly routed to indexers. Otherwise you might get into situation like this - you have the indexes on your indexers but the events are generated using collect or mcollect on SHs and since they are not forwarded to indexers, your SHs are trying to index them locally where they might not have destination indexes and not have last chance indexes configured.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...