Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Warning Message: Received event for unconfigured/disabled index

gleblanc1783
Engager
‎08-10-2011 12:15 PM

We recently upgraded to 4.2.2. Since the upgrade - we've been receiving yellow warning messages at the top of the Splunk Web screen (text changed):

Search peer "indexer1" has the following message: received event for unconfigured/disabled index='foo' with source='source::C:\foo.log' host='host::foo' sourcetype='sourcetype::foo-too_small' (1 missing total)

We noticed that the index name was spelled incorrectly, and have since fixed the problem. Now, 24 hours later, we can't get the error/warn message to go away on our 3 search heads. We've restarted the search heads multiple times and no luck, it's still there.

Can anyone provide any information on how to get rid of this?

Thanks!

Tags (3)
0 Karma
Reply

john
Communicator
‎06-07-2012 07:00 AM

We have solved this problem by creating an index(with same name) in the server which we forwarding datas from unversal forwader.

Reply

neelamssantosh
Contributor
‎09-16-2014 12:08 AM

THANKS it worked as u suggested...

0 Karma
Reply

mfeeny1
Path Finder
‎02-23-2012 04:27 PM

We had similar problem, which we diagnosed and fixed. Now, the UF is no longer sending events to the wrong Indexer/Index.

BUT... We would LIKE to get rid of the error banner on the Search Head WITHOUT restarting Splunk on the Indexer(s). Our Indexers are running 4.2.5-113966, so I'm hoping things have changed such that we CAN nuke the error banner, but avoid bouncing Splunk on the Indexers.

Is it possible???

Thx,
mfeeny1

0 Karma
Reply

gekoner
Communicator
‎09-09-2011 10:40 AM

You will have to restart the splunkd on the Indexers too.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...