Splunk Search

How can we clean messages about unconfigured/disabled/deleted indexes?

ddrillic
Ultra Champion

We have some messages saying -

Search peer <host> has the following message: Received event for unconfigured/disabled/deleted index=<index_name> with source="<source_name>" host="<host_name>" sourcetype="<sourcetype_name>". So far received events from 6 missing index(es).

Since this index - <index_name> doesn't exist, I wonder if I should delete these events at parse time based on the index name. Is it possible?

0 Karma
1 Solution

DalJeanis
Legend

If you want to eliminate those events, then route them to the nullqueue instead of the non-existent index.

https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue.html

You COULD put a stanza for that index, but it would be better to take the stanza that is currently routing event to that index and route them instead to the null queue.

View solution in original post

DalJeanis
Legend

If you want to eliminate those events, then route them to the nullqueue instead of the non-existent index.

https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue.html

You COULD put a stanza for that index, but it would be better to take the stanza that is currently routing event to that index and route them instead to the null queue.

ddrillic
Ultra Champion

Thank you @DalJeanis - gorgeous as usual.

DalJeanis
Legend

@ddrillic - I'm honored.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The best way to clean up those messages is fix the cause of them. Create the missing index (or enable it if it's disabled). By ignoring this message you risk losing data if you don't have a default index configured.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ddrillic
Ultra Champion

Thank you @richgalloway. In this case, the events are not needed. Is there a way to eliminate them at parsing time?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If the events are coming from the same input, deleting that input.conf stanza will stop them from coming in.
You can use btool to find the inputs.conf file to edit. splunk btool --debug inputs list | grep <index_name>.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ddrillic
Ultra Champion

Right, right, to some forwarders we don't have access at all and their inputs.conf is not always being administered by the central deployment server...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...