Getting Data In

received event for unconfigured/disabled/deleted index=..

asepyuliyana
Explorer

Hi All,,

I actually new with splunk, when I finished installing splunk server (version 6.2.2) on soalris 10 and install Splunk Forwader for multiple clients (different servers) also in solaris 10. I got an error message on the server splunk "received event for unconfigured/disabled/deleted index='fb' with source='source::perf' host='host::fbdtbs' sourcetype='sourcetype::zpool_iostat' (1 missing total)"

what should I do?

please advice.

Thanks,
Asep

Tags (2)
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

This means your indexer doesnt have an index named "fb". You need to either created the index on the indexer, or confirm the index exists and is enabled.

See the Managing Indexes Documentation : http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Setupmultipleindexes#Create_and_edit_index...

View solution in original post

sylim_splunk
Splunk Employee
Splunk Employee

If the index is disabled, try to find reasons the index gets disabled. One reason I found is when in indexer clustering the Splunkd found any bucket ID conflict in the index during bucket replication it would be disabled.
Find the messages like,

 07-05-2016 12:44:52.598 +1000 ERROR IndexerService - Error intializing IndexerService: idx=AAA  bid=AAA~25~9B9D1F9-8EA5-4C73-BCC4-6C7C65E2AB5A  bucket=rb_1466615370_1466529185_25_9B9D1F9-8EA5-4C73-BCC4-6C7C65E2AB5A Detected directory manually copied into its database, causing id conflicts 
[path1='E:\splunk_indexes\AAA\db\db_1466615370_1466529185_25_9B9D1F9-8EA5-4C73-BCC4-6C7C65E2AB5A' 
 path2='E:\splunk_cold_indexes\AAA\db\rb_1466615370_1466529185_25_9B9D1F9-8EA5-4C73-BCC4-6C7C65E2AB5A'].  

divyamudundi
Path Finder

I am seeing a lot of this problem on multiple instances of Splunk where I dont see any errors in forwarders logs but Indexer just dont show data, and I see this error in the messages:

received event for unconfigured/disabled/deleted index='prodsupport_apac' with source='source::netstat' host='host::host' sourcetype='sourcetype::netstat' (2 missing total)

And I confirm that i have index created and it is enabled on the indexer.

Im lost with this error. Any resolutions are highly appreciated.

Divya

Runals
Motivator

Do you have just 1 server for Splunk running as search head and indexer? If you have separate systems a potential issue is downloading an app from Splunkbase that has an indexes.conf and that has you collect data from a location and send it to an index it expects to see. That index isn't automatically created on the indexer. This may or may not be the issue. Another issue in a 1 server environment where an app has been downloaded with an indexes.conf is that Splunk will need to be restarted.

Regardless if either of those are correct what the message is indicating is on a system named fbdtbs there is an inputs.conf that is configured to look for some data, set the sourcetype to zpool_iostat and send it to an index named fb. What you will need to do is either create that index OR adjust the inputs so the data goes into an index that does exist.

asepyuliyana
Explorer

I have just 1 server splunk,

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

This means your indexer doesnt have an index named "fb". You need to either created the index on the indexer, or confirm the index exists and is enabled.

See the Managing Indexes Documentation : http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Setupmultipleindexes#Create_and_edit_index...

asepyuliyana
Explorer

thanks esix_splunk, I must create an index named "fb"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...