Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- What happens when the forwarder is configured to s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I would like to know what happens when the forwarder is configured to send data to a non-existent index, either with or without Indexer Acknowledgement enabled. All other parameters are set to the default ones.
I was trying to send data to a supposed index that is in fact not yet created, but I couldn't find any error message showing me that something was wrong (I looked into the metric.log and the splunkd.log of the forwarder).
Did I miss something?
Thank you in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In indexes.conf: (https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Indexesconf)
lastChanceIndex =
* Gives ability to define a last chance index for events destined for
non-existent indexes.
* If an event arrives whose index destination key points to an index that is
not configured (such as when using index= in the input stanza or
by a setting in a transform), it will route that event to the index specified
by this setting. The index destination key of that event will be overwritten
with the specified index name before routing.
* must name an existing enabled index. Splunk will not start if
this is not the case.
* If this setting is not defined or is empty, it will drop such events.
* If set to "default", then the default index specified by the
"defaultDatabase" will be used as a last chance index.
* Defaults to empty.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should receive a message, something like "Received event for unconfigured/disabled/deleted index=" under Messages in your Search Head. The data will just get dropped when it hits the indexer(s).
Are you sending other data from the same forwarder? Verify that there are no firewalls blocking data from the forwarder.
All in all, you should either create the index manually or by installing any appropriate TAs (Add-ons) per that TAs documentation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In indexes.conf: (https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Indexesconf)
lastChanceIndex =
* Gives ability to define a last chance index for events destined for
non-existent indexes.
* If an event arrives whose index destination key points to an index that is
not configured (such as when using index= in the input stanza or
by a setting in a transform), it will route that event to the index specified
by this setting. The index destination key of that event will be overwritten
with the specified index name before routing.
* must name an existing enabled index. Splunk will not start if
this is not the case.
* If this setting is not defined or is empty, it will drop such events.
* If set to "default", then the default index specified by the
"defaultDatabase" will be used as a last chance index.
* Defaults to empty.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
