- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I block GUI messages about missing indexes?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I block GUI messages about missing indexes?
Since 7.3 the missing indexes message below goes to all my users causing many panicked questions about Splunk being down. How can I block this message? I don't see any stanza in default/messages.conf that matches this verbiage.
Search peer indx01 has the following message: Received event for unconfigured/disabled/deleted index=indexname with source="source::vmstat" host="hostname" sourcetype="sourcetype::vmstat". So far received events from 1 missing index
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @twinspop,
Edit: According to @martin_mueller here, you can just go to Settings > User Interface > Bulletin messages to configure stuff like this (new to me). However, I see nothing personally when I go there.
While I do not agree with this approach, if you really want to do this, could you try this search (replace the third part with your error message or a part of it). Keep in mind that I am guessing because I would never do this in my own environment.
index=_internal sourcetype=splunkd [index=indexname]
From there, on your search head (wherever users access Splunk), you should get an extracted component field and log_level field. From there, go to Settings > Server Settings > Server Logging and click the derived component from previously. You can change the log level of that component (only show FATAL, CRIT, ERROR, WARN, INFO, DEBUG and greater). That might suppress the warnings showed to the users if they are based on the splunkd logs.
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello twinspop,
Unfortunately, I do not think there is any way to control which users see these messages. you could resolve this issue either by creating a new index or by disabling the monitor inputs causing those messages.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well that sucks. Thanks for the confirmation. Without direct control over the thousands of forwarders sending to my indexers, I guess I'm just boned.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well you could try @jacobevans solution. and see if it helps!
Uncovering Multi-Account Fraud with Splunk Banking Analytics
Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...
New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...
