Splunk Enterprise

How to check when the index is disabled/enabled

sajeshpp
Path Finder

We are seeing once of our index is disabled.
Is there any way to find when the index was disabled (date and time)?
Is this info logged in any log files ?

Tags (1)
0 Karma
1 Solution

niketn
Legend

@sajeshpp, you can get this from Splunk's _audit index. Add the index name which has been disabled to the following query:

index="_audit" action=disable object="<YourDisabledIndexName>"
 | table object action user timestamp _raw _time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

woodcock
Esteemed Legend

You will know if you are getting events for that index, believe me!

On all Search Heads that are peered to indexers in the Messages area you will see messages like:

Received event for unconfigured/disabled/deleted index='lost_index' with source='source::/tmp/test' host='host::localhost.localdomain' sourcetype='sourcetype::anything' (1 missing total)

You can also search _internal for splunkd.log (/opt/splunk/var/log/splunk/splunkd.log) for events like this:

05-22-2017 17:30:43.276 +0200 WARN  IndexProcessor - received event for unconfigured/disabled/deleted index='lost_index' with source='source::/tmp/test' host='host::localhost.localdomain' sourcetype='sourcetype::anything' (1 missing total)

sajeshpp
Path Finder

thanks for your response 🙂
yes. it shows the messages. But it won't tell you when the index was disabled.

We are not using/monitoring this server regularly as it is part of poc/testing activity and also logs are not pushed regularly to the index. Hence it will be difficult to find when was index disabled by whom.

0 Karma

woodcock
Esteemed Legend

Search in _internal for the log that I indicated. When it first started happening is roughly when it was disabled.

0 Karma

niketn
Legend

@sajeshpp, you can get this from Splunk's _audit index. Add the index name which has been disabled to the following query:

index="_audit" action=disable object="<YourDisabledIndexName>"
 | table object action user timestamp _raw _time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

sajeshpp
Path Finder

thanks.. this worked out for me

0 Karma

niketn
Legend

Great... Cheers!!!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...