Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check when the index is disabled/enabled

sajeshpp
Path Finder
‎07-26-2017 07:31 AM

We are seeing once of our index is disabled.
Is there any way to find when the index was disabled (date and time)?
Is this info logged in any log files ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-26-2017 09:29 AM

@sajeshpp, you can get this from Splunk's _audit index. Add the index name which has been disabled to the following query:

index="_audit" action=disable object="<YourDisabledIndexName>"
 | table object action user timestamp _raw _time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-26-2017 10:15 AM

You will know if you are getting events for that index, believe me!

On all Search Heads that are peered to indexers in the Messages area you will see messages like:

Received event for unconfigured/disabled/deleted index='lost_index' with source='source::/tmp/test' host='host::localhost.localdomain' sourcetype='sourcetype::anything' (1 missing total)

You can also search _internal for splunkd.log (/opt/splunk/var/log/splunk/splunkd.log) for events like this:

05-22-2017 17:30:43.276 +0200 WARN  IndexProcessor - received event for unconfigured/disabled/deleted index='lost_index' with source='source::/tmp/test' host='host::localhost.localdomain' sourcetype='sourcetype::anything' (1 missing total)
Reply
Solved! Jump to solution

sajeshpp
Path Finder
‎07-26-2017 09:47 PM

thanks for your response 🙂
yes. it shows the messages. But it won't tell you when the index was disabled.

We are not using/monitoring this server regularly as it is part of poc/testing activity and also logs are not pushed regularly to the index. Hence it will be difficult to find when was index disabled by whom.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-27-2017 11:48 AM

Search in _internal for the log that I indicated. When it first started happening is roughly when it was disabled.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-26-2017 09:29 AM

@sajeshpp, you can get this from Splunk's _audit index. Add the index name which has been disabled to the following query:

index="_audit" action=disable object="<YourDisabledIndexName>"
 | table object action user timestamp _raw _time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

sajeshpp
Path Finder
‎07-26-2017 09:41 PM

thanks.. this worked out for me

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-27-2017 12:11 AM

Great... Cheers!!!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...