Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

unconfigured/disabled/deleted index=windows_server_winupdate

IWilsonR
Engager
‎11-07-2019 05:47 AM

Hi All,

I have configured UF agent on windows machine. I dont see it's reporting in forwarder management and also no incoming logs.

but i got the below message in splunk. Kindly let me know what is the configuration flaw.

unconfigured/disabled/deleted index=windows_server_winupdate with source="source::WinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational" host="host::hostname" sourcetype="sourcetype::WinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational". So far received events from 6 missing index(es).

note: I did a telnet from the UF machine to my deployment server through default port 8089. It's working.

Splunk version: 7.1.6

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-07-2019 10:39 AM

The UF is trying to write data to an index, windows_server_winupdate, that doesn't exist. Either create the index on your indexer(s) or change the UF's inputs.conf to use the correct index name.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-07-2019 10:39 AM

The UF is trying to write data to an index, windows_server_winupdate, that doesn't exist. Either create the index on your indexer(s) or change the UF's inputs.conf to use the correct index name.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

IWilsonR
Engager
‎11-14-2019 10:52 PM

Thanks for your reply. I have created an index for this host and it started indexing in the correct index name i have created. But still i am getting the message, can we disable this from sending this logs to splunk.

I need the security, system and application which is now iam getting in splunk.

Sample Message:

unconfigured/disabled/deleted index=windows_server_powershell with source="source::WinEventLog:Microsoft-Windows-PowerShell/Operational" host="host::hostname" sourcetype="sourcetype::WinEventLog:Microsoft-Windows-PowerShell/Operational". So far received events from 2 missing index(es).

Sample Message2:

unconfigured/disabled/deleted index=windows_server_sysmon with source="source::WinEventLog:Microsoft-Windows-Sysmon/Operational" host="host::hostname" sourcetype="sourcetype::WinEventLog:Microsoft-Windows-Sysmon/Operational". So far received events from 1 missing index(es).

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2019 04:49 AM

There are two ways to prevent those messages: 1) create the missing index; 2) disable the input(s) sending to the missing index.
Make sure to create the indexes on the indexer, not just on the search head.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...