received event for unconfigured/disabled index=’xxxx’ with source=’source::yyyy’ host=’host::zzzz’ sourcetype=’sourcetype::stash’ ( 1 missing total )
received event for unconfigured/disabled index=’xxxx’ with source=’source::yyyy’ host=’host::zzzz’ sourcetype=’sourcetype:;stash’ ( 1 missing total )
Please find below the two solutions :
1. If UF/HF box is connected to the IDX box, and UF/HF
is configured to send the data to the index=”XXXX“
in IDX box, but if in IDX box, there is no index=”XXXX”
created or somehow disabled,then the above message
appears. In this case either you enable/create
index=”XXXX” in IDX box or disable the data forwarding
in UF/HF for that particular index as shown below :
ssh OR
cd /opt/splunk/etc/system/local
vi inputs.conf
[monitor:///]
index=”XXXX”
# Add the below link to disable the input forwarding
disabled=1
/opt/splunk/bin/splunk restart
****************************************
2. Go to host by ssh :
ssh ZZZZ
cd /opt/splunk/etc/
find . | xargs grep -i “XXXX”
We know that ZZZZ is a SH and in SH we may have saved
Searches which are using “XXXX” name in their Queries.
So, we will go to that application and look into the
“savedsearches.conf” file.
cd /opt/splunk/etc/apps//local/
vi savedsearches.conf
search for “XXXX” and disable that saved search
where this index is being used
( Just add the below line ) : disabled=1
OR , you can also disable your saved search from GUI 🙂
Go to Splunk SH web interface,
https://ZZZZ/:8000
Go to Manager –> Searches and Reports and then search
for the Index Name ,all the saved search will show up
which are using that index name. Simply go to the
‘Status‘ field and ‘Disable‘ it.
Note : There could be a situation where in the query the index name ( XXXX ) is
not there but in the summary indexing they are using this Index Name.
Simply click on’saved search’ , come down and uncheck
“Summary Indexing ( Enable )” [ If you see ‘XXXX‘ is written in place ]
received event for unconfigured/disabled index=’xxxx’ with source=’source::yyyy’ host=’host::zzzz’ sourcetype=’sourcetype:;stash’ ( 1 missing total )
Wonderful Article