Splunk Search

How can we clean messages about unconfigured/disabled/deleted indexes?

ddrillic
Ultra Champion

We have some messages saying -

Search peer <host> has the following message: Received event for unconfigured/disabled/deleted index=<index_name> with source="<source_name>" host="<host_name>" sourcetype="<sourcetype_name>". So far received events from 6 missing index(es).

Since this index - <index_name> doesn't exist, I wonder if I should delete these events at parse time based on the index name. Is it possible?

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

If you want to eliminate those events, then route them to the nullqueue instead of the non-existent index.

https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue.html

You COULD put a stanza for that index, but it would be better to take the stanza that is currently routing event to that index and route them instead to the null queue.

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

If you want to eliminate those events, then route them to the nullqueue instead of the non-existent index.

https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue.html

You COULD put a stanza for that index, but it would be better to take the stanza that is currently routing event to that index and route them instead to the null queue.

ddrillic
Ultra Champion

Thank you @DalJeanis - gorgeous as usual.

DalJeanis
SplunkTrust
SplunkTrust

@ddrillic - I'm honored.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The best way to clean up those messages is fix the cause of them. Create the missing index (or enable it if it's disabled). By ignoring this message you risk losing data if you don't have a default index configured.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ddrillic
Ultra Champion

Thank you @richgalloway. In this case, the events are not needed. Is there a way to eliminate them at parsing time?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If the events are coming from the same input, deleting that input.conf stanza will stop them from coming in.
You can use btool to find the inputs.conf file to edit. splunk btool --debug inputs list | grep <index_name>.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ddrillic
Ultra Champion

Right, right, to some forwarders we don't have access at all and their inputs.conf is not always being administered by the central deployment server...

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...