Last Chance Index setup issues

lavster · ‎09-25-2019

hello, we are trying to configure a lastchanceindex to capture events being sent to a non-existing index, however it doesnt seem to be working. I've added to the indexes.conf "lastChanceIndex = test_collect_std" but we still get the error message

Search peer indexer-6 has the following message: Received event for unconfigured/disabled/deleted index=fake_index with source="source::D:\tmp\ExampleLog.log" host="host::MACHINE" sourcetype="sourcetype::fake_sourcetype". So far received events from 1 missing index(es).

So the re-route doesnt seem to be doing what it should, there is very little documentation on this. Has anyone successfully got this to work?

For info we are running 7.3.0

adonio · ‎09-25-2019

can you share your indexes.conf?
this configuration should be under the [default] stanza ... so should look something like this:

indexes.conf:

[default]
lastChanceIndex = main

[index1]
homePath   = $SPLUNK_DB/index1/db
coldPath   = $SPLUNK_DB/index1/colddb
thawedPath = $SPLUNK_DB/index1/thaweddb
maxDataSize = 10000
maxHotBuckets = 10

[index2]
homePath   = $SPLUNK_DB/index2/db
coldPath   = $SPLUNK_DB/index2/colddb
thawedPath = $SPLUNK_DB/index2/thaweddb
maxDataSize = 10000
maxHotBuckets = 10

.....

Last Chance Index setup issues

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Join the Conversation

Last Chance Index setup issues

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community