I'm trying to configure the Splunk Unviersal forwader on a windows box to forward windows event log messages to my splunk 4.2 indexer. I wanted to keep windows events in a separate index from my other linux logs, so I created a new index on the indexer for "windows_events" and made sure it was enabled. I then added "index = windows_events" to each of my sections in the inputs.conf file in "C:Program FilesSplunkUniversalForwarderetcappsMSICreatedlocal" on my forwarder.
I'm getting events into my windows_events index, but I'm also seeing this warning at the top of my search screen
received event for unconfigured/disabled index='"windows_events"' with source='source::WinEventLog:Security' host='host::DC001' sourcetype='sourcetype::WinEventLog:Security' (1 missing total)
Any idea how to clear this warning message?
I had created the index via SplunkWeb manager. This issues seems to have resolved itself after restarting splunk about 3 times and waiting a few hours.
answered 09 May '11, 08:10