Getting Data In

received event for unconfigured/disabled/deleted index=..

asepyuliyana
Explorer

Hi All,,

I actually new with splunk, when I finished installing splunk server (version 6.2.2) on soalris 10 and install Splunk Forwader for multiple clients (different servers) also in solaris 10. I got an error message on the server splunk "received event for unconfigured/disabled/deleted index='fb' with source='source::perf' host='host::fbdtbs' sourcetype='sourcetype::zpool_iostat' (1 missing total)"

what should I do?

please advice.

Thanks,
Asep

Tags (2)
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

This means your indexer doesnt have an index named "fb". You need to either created the index on the indexer, or confirm the index exists and is enabled.

See the Managing Indexes Documentation : http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Setupmultipleindexes#Create_and_edit_index...

View solution in original post

sylim_splunk
Splunk Employee
Splunk Employee

If the index is disabled, try to find reasons the index gets disabled. One reason I found is when in indexer clustering the Splunkd found any bucket ID conflict in the index during bucket replication it would be disabled.
Find the messages like,

 07-05-2016 12:44:52.598 +1000 ERROR IndexerService - Error intializing IndexerService: idx=AAA  bid=AAA~25~9B9D1F9-8EA5-4C73-BCC4-6C7C65E2AB5A  bucket=rb_1466615370_1466529185_25_9B9D1F9-8EA5-4C73-BCC4-6C7C65E2AB5A Detected directory manually copied into its database, causing id conflicts 
[path1='E:\splunk_indexes\AAA\db\db_1466615370_1466529185_25_9B9D1F9-8EA5-4C73-BCC4-6C7C65E2AB5A' 
 path2='E:\splunk_cold_indexes\AAA\db\rb_1466615370_1466529185_25_9B9D1F9-8EA5-4C73-BCC4-6C7C65E2AB5A'].  

divyamudundi
Path Finder

I am seeing a lot of this problem on multiple instances of Splunk where I dont see any errors in forwarders logs but Indexer just dont show data, and I see this error in the messages:

received event for unconfigured/disabled/deleted index='prodsupport_apac' with source='source::netstat' host='host::host' sourcetype='sourcetype::netstat' (2 missing total)

And I confirm that i have index created and it is enabled on the indexer.

Im lost with this error. Any resolutions are highly appreciated.

Divya

Runals
Motivator

Do you have just 1 server for Splunk running as search head and indexer? If you have separate systems a potential issue is downloading an app from Splunkbase that has an indexes.conf and that has you collect data from a location and send it to an index it expects to see. That index isn't automatically created on the indexer. This may or may not be the issue. Another issue in a 1 server environment where an app has been downloaded with an indexes.conf is that Splunk will need to be restarted.

Regardless if either of those are correct what the message is indicating is on a system named fbdtbs there is an inputs.conf that is configured to look for some data, set the sourcetype to zpool_iostat and send it to an index named fb. What you will need to do is either create that index OR adjust the inputs so the data goes into an index that does exist.

asepyuliyana
Explorer

I have just 1 server splunk,

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

This means your indexer doesnt have an index named "fb". You need to either created the index on the indexer, or confirm the index exists and is enabled.

See the Managing Indexes Documentation : http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Setupmultipleindexes#Create_and_edit_index...

asepyuliyana
Explorer

thanks esix_splunk, I must create an index named "fb"

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...