Getting Data In

What happens when the forwarder is configured to send data to a non-existent index?

jwillaime
Explorer

Hello,

I would like to know what happens when the forwarder is configured to send data to a non-existent index, either with or without Indexer Acknowledgement enabled. All other parameters are set to the default ones.

I was trying to send data to a supposed index that is in fact not yet created, but I couldn't find any error message showing me that something was wrong (I looked into the metric.log and the splunkd.log of the forwarder).

Did I miss something?

Thank you in advance.

0 Karma
1 Solution

damien_chillet
Builder

In indexes.conf: (https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Indexesconf)

lastChanceIndex =
* Gives ability to define a last chance index for events destined for
non-existent indexes.
* If an event arrives whose index destination key points to an index that is
not configured (such as when using index= in the input stanza or
by a setting in a transform), it will route that event to the index specified
by this setting. The index destination key of that event will be overwritten
with the specified index name before routing.
* must name an existing enabled index. Splunk will not start if
this is not the case.
* If this setting is not defined or is empty, it will drop such events.
* If set to "default", then the default index specified by the
"defaultDatabase" will be used as a last chance index.
* Defaults to empty.

View solution in original post

kmorris_splunk
Splunk Employee
Splunk Employee

You should receive a message, something like "Received event for unconfigured/disabled/deleted index=" under Messages in your Search Head. The data will just get dropped when it hits the indexer(s).

Are you sending other data from the same forwarder? Verify that there are no firewalls blocking data from the forwarder.

All in all, you should either create the index manually or by installing any appropriate TAs (Add-ons) per that TAs documentation.

0 Karma

damien_chillet
Builder

In indexes.conf: (https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Indexesconf)

lastChanceIndex =
* Gives ability to define a last chance index for events destined for
non-existent indexes.
* If an event arrives whose index destination key points to an index that is
not configured (such as when using index= in the input stanza or
by a setting in a transform), it will route that event to the index specified
by this setting. The index destination key of that event will be overwritten
with the specified index name before routing.
* must name an existing enabled index. Splunk will not start if
this is not the case.
* If this setting is not defined or is empty, it will drop such events.
* If set to "default", then the default index specified by the
"defaultDatabase" will be used as a last chance index.
* Defaults to empty.

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...