Splunk Search

How do I block GUI messages about missing indexes?

twinspop
Influencer

Since 7.3 the missing indexes message below goes to all my users causing many panicked questions about Splunk being down. How can I block this message? I don't see any stanza in default/messages.conf that matches this verbiage.

Search peer indx01 has the following message: Received event for unconfigured/disabled/deleted index=indexname with source="source::vmstat" host="hostname" sourcetype="sourcetype::vmstat". So far received events from 1 missing index
0 Karma

jacobpevans
Motivator

Hi @twinspop,

Edit: According to @martin_mueller here, you can just go to Settings > User Interface > Bulletin messages to configure stuff like this (new to me). However, I see nothing personally when I go there.

While I do not agree with this approach, if you really want to do this, could you try this search (replace the third part with your error message or a part of it). Keep in mind that I am guessing because I would never do this in my own environment.

index=_internal sourcetype=splunkd [index=indexname]

From there, on your search head (wherever users access Splunk), you should get an extracted component field and log_level field. From there, go to Settings > Server Settings > Server Logging and click the derived component from previously. You can change the log level of that component (only show FATAL, CRIT, ERROR, WARN, INFO, DEBUG and greater). That might suppress the warnings showed to the users if they are based on the splunkd logs.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

mayurr98
Super Champion

Hello twinspop,
Unfortunately, I do not think there is any way to control which users see these messages. you could resolve this issue either by creating a new index or by disabling the monitor inputs causing those messages.

0 Karma

twinspop
Influencer

Well that sucks. Thanks for the confirmation. Without direct control over the thousands of forwarders sending to my indexers, I guess I'm just boned.

0 Karma

mayurr98
Super Champion

well you could try @jacobevans solution. and see if it helps!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...