Getting Data In

warning in my indexer received event for unconfigured/disabled index

Contributor

I recieve syslog feed to my heavy forwader . From there the data is forwarder to my Indexer.

And in my indexer i want my received data to be indexed in index=syslog.

Heavy Forwarder configuration

inputs.conf:

[udp://514]

connection_host = X.X.X.X

index = syslog_index

sourcetype = syslog_st

and Configuration in my indexer is :

inputs.conf

[splunktcp://9998]

index = syslog

sourcetype = syslog_feed

But i am getting a warning in my indexer as

received event for unconfigured/disabled index='syslog_index' with source='source::udp:514' host='host::X.X.X.X' sourcetype='sourcetype::syslog_st' (1 missing total)

why is it still trying to put the forwarded data to index=syslog_index whereas i mentioned in my indexer to index data into index=syslog

Could any one please help?

0 Karma

Path Finder

Heavy forwarder does events parsing, which means you cannot change the index name on the indexer side (the "index=syslog" part on the indexer is ignored).
You should switch the Heavy Forwarder with a Universal Forwarder to move the parsing logic to the indexer.
Another option is to set the "sendCookedData=false" parameter in the output.conf in the HF to tell Splunk to send RAW unparsed data.

0 Karma

Splunk Employee
Splunk Employee

Why are you setting index = syslog_index in the first place? Just set index=syslog no? In any case, if it's a heavyweight forwarder, all the parsing has already been done which is why the Indexer is ignoring your configuration.

Contributor

The reason i have different index names is that from heavy forwarder i have to filter data to be sent to different indexes (1 to hold user auth data and other to hold payload data) in indexer depending on some regex.

0 Karma

Splunk Employee
Splunk Employee

There is still somewhere a forwarder configured to send to this syslog_index.
Can you check :

  • all the inputs.conf on all the forwarders
  • all the props.conf/transforms.conf on the indexer and heavyforwarders (in case another transforms remains)

use the btool command to make sure, and search for the keyword syslog_indx in the outputs


./splunk cmd btool inputs list --debug
./splunk cmd btool props list --debug
etc...

0 Karma

Contributor

I have only one heavy forwarder pushing data to 2 indexers.
And in that heavy forwarder
the conf is same as in my post above. and both indexers have configuration as mentioned above in post.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!