Hello, I have some windows systems that I'm trying to send logs from via a universal forwarder, to a heavy forwarder. However, I am getting an error on the heavy forwarder:
WARN IndexerService - Received event for unconfigured/disabled/deleted index=testwineventlog with source="source::tcp:5513" host="host::*hostname*" sourcetype="sourcetype::tcp-raw". So far received events from 1 missing index(es).
On the universal forwarder, I have the inputs.conf configured:
That error message appears when an event is received by an indexer for an index that is not defined or is disabled. By default, all Splunk instances other than Universal Forwarders have indexing enabled. That means your heavy forwarder is really an indexer. Create an outputs.conf file pointing to your indexer(s) to turn it into a HF.
Why are you using a heavy forwarder in this configuration? In general, using HFs as an intermediary is discouraged unless needed for a specific purpose (like getting through a firewall).
--- If this reply helps you, an upvote would be appreciated.