Getting Data In

unconfigured/disabled/deleted index=windows_server_winupdate

IWilsonR
Engager

Hi All,

I have configured UF agent on windows machine. I dont see it's reporting in forwarder management and also no incoming logs.

but i got the below message in splunk. Kindly let me know what is the configuration flaw.

unconfigured/disabled/deleted index=windows_server_winupdate with source="source::WinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational" host="host::hostname" sourcetype="sourcetype::WinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational". So far received events from 6 missing index(es).

note: I did a telnet from the UF machine to my deployment server through default port 8089. It's working.

Splunk version: 7.1.6

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The UF is trying to write data to an index, windows_server_winupdate, that doesn't exist. Either create the index on your indexer(s) or change the UF's inputs.conf to use the correct index name.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The UF is trying to write data to an index, windows_server_winupdate, that doesn't exist. Either create the index on your indexer(s) or change the UF's inputs.conf to use the correct index name.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

IWilsonR
Engager

Thanks for your reply. I have created an index for this host and it started indexing in the correct index name i have created. But still i am getting the message, can we disable this from sending this logs to splunk.

I need the security, system and application which is now iam getting in splunk.

Sample Message:

unconfigured/disabled/deleted index=windows_server_powershell with source="source::WinEventLog:Microsoft-Windows-PowerShell/Operational" host="host::hostname" sourcetype="sourcetype::WinEventLog:Microsoft-Windows-PowerShell/Operational". So far received events from 2 missing index(es).

Sample Message2:

unconfigured/disabled/deleted index=windows_server_sysmon with source="source::WinEventLog:Microsoft-Windows-Sysmon/Operational" host="host::hostname" sourcetype="sourcetype::WinEventLog:Microsoft-Windows-Sysmon/Operational". So far received events from 1 missing index(es).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There are two ways to prevent those messages: 1) create the missing index; 2) disable the input(s) sending to the missing index.
Make sure to create the indexes on the indexer, not just on the search head.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!