Splunk Search

Received event for unconfigured/disabled/delted......

xsstest
Communicator

I am a splunk novice.

Https://answers.splunk.com/answers/522405/why-is-there-no-data-in-my-summary-index.html

URL of the file or not resolved.

Description: I created a Splunk cluster and created a lot of alert strategies on my search server. Some alerts open the summary index, and the summary index name is "alerts", I confirm that the alerts are the existing . And I'm sure a lot of alert have been triggered. But I'm running "index = alerts" on the search server. Return empty And I got this information on the search server's WEBUI: "Received event for unconfigured / disabled / delted ...." as shown below:

Question: Why is my summary index no data written? Is there a problem with my configuration?

alt text

Tags (1)
0 Karma
1 Solution

gfreitas
Builder

Have you enabled data forwarding on the search head to send the indexed data to the indexers? You can enable event forwarding on the serch head going to settings > forwarding and receiving > configure forwarding > add your two indexers. This way the data that you asked to index on the search head will be forwarder to the indexers and will get indexed.

View solution in original post

0 Karma

dineshraj9
Builder

Can you run the below query and verify if the index is created on your indexers?

| eventcount summarize=false index=alerts

Verify if all your indexers are listed here.
Try restarting the indexers also once.

0 Karma

xsstest
Communicator

result is 0 . What should I do next?

0 Karma

gfreitas
Builder

Have you enabled data forwarding on the search head to send the indexed data to the indexers? You can enable event forwarding on the serch head going to settings > forwarding and receiving > configure forwarding > add your two indexers. This way the data that you asked to index on the search head will be forwarder to the indexers and will get indexed.

0 Karma

xsstest
Communicator

This is a cluster

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...