Received event for unconfigured/disabled index…stash ( 1 missing total )

received event for unconfigured/disabled index=’xxxx’ with source=’source::yyyy’ host=’host::zzzz’ sourcetype=’sourcetype::stash’ ( 1 missing total )

Please find below some of the short cuts being used in the below article :
SH   = Search Head
IDX = Indexer
UF   = Universal Forwarder
HF   = Heavy Forwarder
             _____________________________________________________
When you login to your SH or IDX, you will get the following Message Error
on your ‘message’ tab on the top of your Splunk Page :

received event for unconfigured/disabled index=’xxxx’ with source=’source::yyyy’ host=’host::zzzz’ sourcetype=’sourcetype:;stash’ ( 1 missing total )


Please find below the two solutions


1.  If UF/HF box is connected to the IDX box, and UF/HF
   is configured to send the data to the index=”XXXX 
   in IDX box, but if in IDX box, there is no index=”XXXX”
   created or somehow disabled,then the above message
   appears. In this case either you enable/create 
   index=”XXXX” in IDX box or disable the data forwarding
   in UF/HF for that particular index as shown below :

   ssh OR
   cd /opt/splunk/etc/system/local
   vi inputs.conf

   [monitor:///]
   index=”XXXX”
   
   # Add the below link to disable the input forwarding

   disabled=1
   /opt/splunk/bin/splunk restart 


           ****************************************


2.  Go to host by ssh :

    ssh ZZZZ
    cd /opt/splunk/etc/
    find . | xargs grep -i “XXXX”

    We know that ZZZZ is a SH and in SH we may have saved
    Searches which are using “XXXX” name in their Queries.
    So, we will go to that application and look into the 
    “savedsearches.conf” file.


   cd /opt/splunk/etc/apps//local/
   vi savedsearches.conf
   
   search for “XXXX” and disable that saved search
   where this index is being used

  ( Just add the below line ) : disabled=1

   OR , you can also disable your saved search from GUI 🙂

   Go to Splunk SH web interface,
   https://ZZZZ/:8000

   Go to Manager –> Searches and Reports  and then search 
   for the Index Name ,all the saved search will show up 
   which are using that index name. Simply go to the
   ‘Status‘ field and ‘Disable‘ it.


Note : There could be a situation where in the query the index name ( XXXX ) is
not there  but in the summary indexing they are using this Index Name.
Simply click on’saved search’ , come down and uncheck
Summary Indexing ( Enable )” [ If you see ‘XXXX‘ is written in place ]

Hope whenever you encounter :

received event for unconfigured/disabled index=’xxxx’ with source=’source::yyyy’ host=’host::zzzz’ sourcetype=’sourcetype:;stash’ ( 1 missing total )

the above error, you will be able to solve it immediately!
Happy Splunking !

 




Advertisements

One comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.