|
I'm trying to configure the Splunk Unviersal forwader on a windows box to forward windows event log messages to my splunk 4.2 indexer. I wanted to keep windows events in a separate index from my other linux logs, so I created a new index on the indexer for "windows_events" and made sure it was enabled. I then added "index = windows_events" to each of my sections in the inputs.conf file in "C:Program FilesSplunkUniversalForwarderetcappsMSICreatedlocal" on my forwarder. I'm getting events into my windows_events index, but I'm also seeing this warning at the top of my search screen received event for unconfigured/disabled index='"windows_events"' with source='source::WinEventLog:Security' host='host::DC001' sourcetype='sourcetype::WinEventLog:Security' (1 missing total) Any idea how to clear this warning message?
|
|
how did you create your index?via the UI?via the indexes.conf? do you have more than 1 indexer? if yes did you create the index on all of the indexer? |
