https://community.splunk.com/t5/Getting-Data-In/quot-Splunk-could-not-get-the-description-for-this-event-quot/m-p/60338#M11956 <P>I am getting a high incidence rate of "Splunk could not get the description for this event."<BR /> All forwarders are SplunkUniversalForwarders, versions 4.2 thru 5.0.1.<BR /> Yesterday I got these results from my Linux 4.3.2 indexer:</P> <PRE><CODE> Servers with Splunk Universal Servers with "Splunk Could Forwarder Ver. WinEvents OK not get desc" Total 4.2 27 21 48 4.2.2 4 2 6 4.3.1 1 - 1 4.3.2 4 8 12 5.0.1 172 40 212 Total 208 71 279 </CODE></PRE> <P>Since the results were so scattered among the forwarder versions, I upgraded the indexer to 5.0.2.<BR /><BR /> As the indexer is a Linux box, and I know the event descriptions are extracted from the DLL’s on the clients, I really didn’t expect to see a change. However, since the change I now have 151 servers with “could not get” — over twice what I had yesterday before upgrading the indexer. Now over 75% of my windows events contain “Splunk could not get the description for this event.”</P> <P>The majority of the events are from the security logs, but there is also a significant number of events from the system and application event logs.<BR /><BR /> Descriptions are present when viewed via event viewer on servers in most cases. In a few cases applications do not put descriptions into the application log.<BR /><BR /> A spotcheck of some of the affected servers shows that msaudite.dll file and the security subkey under hklm\system\currentcontrolset\services\eventlog\security are present.<BR /><BR /> Operating systems are also a mix — 78 of the effected machines are Server 2008, the rest 2003.</P> <P>Any help would be greatly appreciated.</P> Wed, 13 Mar 2013 16:56:53 GMT rgcox1 2013-03-13T16:56:53Z https://community.splunk.com/t5/Getting-Data-In/quot-Splunk-could-not-get-the-description-for-this-event-quot/m-p/60338#M11956 <P>I am getting a high incidence rate of "Splunk could not get the description for this event."<BR /> All forwarders are SplunkUniversalForwarders, versions 4.2 thru 5.0.1.<BR /> Yesterday I got these results from my Linux 4.3.2 indexer:</P> <PRE><CODE> Servers with Splunk Universal Servers with "Splunk Could Forwarder Ver. WinEvents OK not get desc" Total 4.2 27 21 48 4.2.2 4 2 6 4.3.1 1 - 1 4.3.2 4 8 12 5.0.1 172 40 212 Total 208 71 279 </CODE></PRE> <P>Since the results were so scattered among the forwarder versions, I upgraded the indexer to 5.0.2.<BR /><BR /> As the indexer is a Linux box, and I know the event descriptions are extracted from the DLL’s on the clients, I really didn’t expect to see a change. However, since the change I now have 151 servers with “could not get” — over twice what I had yesterday before upgrading the indexer. Now over 75% of my windows events contain “Splunk could not get the description for this event.”</P> <P>The majority of the events are from the security logs, but there is also a significant number of events from the system and application event logs.<BR /><BR /> Descriptions are present when viewed via event viewer on servers in most cases. In a few cases applications do not put descriptions into the application log.<BR /><BR /> A spotcheck of some of the affected servers shows that msaudite.dll file and the security subkey under hklm\system\currentcontrolset\services\eventlog\security are present.<BR /><BR /> Operating systems are also a mix — 78 of the effected machines are Server 2008, the rest 2003.</P> <P>Any help would be greatly appreciated.</P> Wed, 13 Mar 2013 16:56:53 GMT https://community.splunk.com/t5/Getting-Data-In/quot-Splunk-could-not-get-the-description-for-this-event-quot/m-p/60338#M11956 rgcox1 2013-03-13T16:56:53Z https://community.splunk.com/t5/Getting-Data-In/quot-Splunk-could-not-get-the-description-for-this-event-quot/m-p/60339#M11957 <P>I had this same issue, it came down to being the version of the forwarder 4.3.2 </P> <P>4.3.2 has a known bug and can cause this issue, to resolve this I had to upgrade all my forwarders from this version to 5.0.1</P> Tue, 17 Sep 2013 07:24:47 GMT https://community.splunk.com/t5/Getting-Data-In/quot-Splunk-could-not-get-the-description-for-this-event-quot/m-p/60339#M11957 AaronMoorcroft 2013-09-17T07:24:47Z