Splunk Search

Received event for unconfigured/disabled/delted......

xsstest
Communicator

I am a splunk novice.

Https://answers.splunk.com/answers/522405/why-is-there-no-data-in-my-summary-index.html

URL of the file or not resolved.

Description: I created a Splunk cluster and created a lot of alert strategies on my search server. Some alerts open the summary index, and the summary index name is "alerts", I confirm that the alerts are the existing . And I'm sure a lot of alert have been triggered. But I'm running "index = alerts" on the search server. Return empty And I got this information on the search server's WEBUI: "Received event for unconfigured / disabled / delted ...." as shown below:

Question: Why is my summary index no data written? Is there a problem with my configuration?

alt text

Tags (1)
0 Karma
1 Solution

gfreitas
Builder

Have you enabled data forwarding on the search head to send the indexed data to the indexers? You can enable event forwarding on the serch head going to settings > forwarding and receiving > configure forwarding > add your two indexers. This way the data that you asked to index on the search head will be forwarder to the indexers and will get indexed.

View solution in original post

0 Karma

dineshraj9
Builder

Can you run the below query and verify if the index is created on your indexers?

| eventcount summarize=false index=alerts

Verify if all your indexers are listed here.
Try restarting the indexers also once.

0 Karma

xsstest
Communicator

result is 0 . What should I do next?

0 Karma

gfreitas
Builder

Have you enabled data forwarding on the search head to send the indexed data to the indexers? You can enable event forwarding on the serch head going to settings > forwarding and receiving > configure forwarding > add your two indexers. This way the data that you asked to index on the search head will be forwarder to the indexers and will get indexed.

0 Karma

xsstest
Communicator

This is a cluster

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...