hello, we are trying to configure a lastchanceindex to capture events being sent to a non-existing index, however it doesnt seem to be working. I've added to the indexes.conf "lastChanceIndex = test_collect_std" but we still get the error message
Search peer indexer-6 has the following message: Received event for unconfigured/disabled/deleted index=fake_index with source="source::D:\tmp\ExampleLog.log" host="host::MACHINE" sourcetype="sourcetype::fake_sourcetype". So far received events from 1 missing index(es).
So the re-route doesnt seem to be doing what it should, there is very little documentation on this. Has anyone successfully got this to work?
For info we are running 7.3.0
can you share your indexes.conf?
this configuration should be under the [default]
stanza ... so should look something like this:
indexes.conf:
[default]
lastChanceIndex = main
[index1]
homePath = $SPLUNK_DB/index1/db
coldPath = $SPLUNK_DB/index1/colddb
thawedPath = $SPLUNK_DB/index1/thaweddb
maxDataSize = 10000
maxHotBuckets = 10
[index2]
homePath = $SPLUNK_DB/index2/db
coldPath = $SPLUNK_DB/index2/colddb
thawedPath = $SPLUNK_DB/index2/thaweddb
maxDataSize = 10000
maxHotBuckets = 10
.....