Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

unconfigured/disabled/deleted index=windows_server_winupdate

IWilsonR
Engager
‎11-07-2019 05:47 AM

Hi All,

I have configured UF agent on windows machine. I dont see it's reporting in forwarder management and also no incoming logs.

but i got the below message in splunk. Kindly let me know what is the configuration flaw.

unconfigured/disabled/deleted index=windows_server_winupdate with source="source::WinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational" host="host::hostname" sourcetype="sourcetype::WinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational". So far received events from 6 missing index(es).

note: I did a telnet from the UF machine to my deployment server through default port 8089. It's working.

Splunk version: 7.1.6

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-07-2019 10:39 AM

The UF is trying to write data to an index, windows_server_winupdate, that doesn't exist. Either create the index on your indexer(s) or change the UF's inputs.conf to use the correct index name.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-07-2019 10:39 AM

The UF is trying to write data to an index, windows_server_winupdate, that doesn't exist. Either create the index on your indexer(s) or change the UF's inputs.conf to use the correct index name.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

IWilsonR
Engager
‎11-14-2019 10:52 PM

Thanks for your reply. I have created an index for this host and it started indexing in the correct index name i have created. But still i am getting the message, can we disable this from sending this logs to splunk.

I need the security, system and application which is now iam getting in splunk.

Sample Message:

unconfigured/disabled/deleted index=windows_server_powershell with source="source::WinEventLog:Microsoft-Windows-PowerShell/Operational" host="host::hostname" sourcetype="sourcetype::WinEventLog:Microsoft-Windows-PowerShell/Operational". So far received events from 2 missing index(es).

Sample Message2:

unconfigured/disabled/deleted index=windows_server_sysmon with source="source::WinEventLog:Microsoft-Windows-Sysmon/Operational" host="host::hostname" sourcetype="sourcetype::WinEventLog:Microsoft-Windows-Sysmon/Operational". So far received events from 1 missing index(es).

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2019 04:49 AM

There are two ways to prevent those messages: 1) create the missing index; 2) disable the input(s) sending to the missing index.
Make sure to create the indexes on the indexer, not just on the search head.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...