https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-Splunk-is-generating-Eventcode-1035/m-p/125845#M25946 <P>This problem was fixed in Splunk 6.3.0. I've personally verified it with Splunk 6.3.2 Universal Forwarder.</P> Wed, 06 Jan 2016 20:52:37 GMT jberd126 2016-01-06T20:52:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-Splunk-is-generating-Eventcode-1035/m-p/125844#M25945 <P>Splunk appears to be calling "Win32_Product" WMI function that triggers a consistency check of installed applications causing numberous 1035 event codes to be generated in the event log (approximately 100 every 10 minutes). It appears to correlate nicely with perfmon queries.</P> <PRE><CODE>eventtype="wineventlog_windows" sourcetype="WinEventLog:*" EventCode=1035 SourceName=MsiInstaller </CODE></PRE> <P>I can confirm that, through PowerShell, executing "Get-WmiObject Win32_Product" does indeed trigger the 1035 events/</P> <P>I've looked through our configs and have verified that we are not running a Win32_Product WMI query explicitly and I verified that running the Splunk command 'splunk-wmi' does <STRONG>not</STRONG> trigger the generation of 1035 events. </P> <P>Not all machines exhibit this problem and we have not been able to determine a pattern on why some are affected and others are not.</P> <P>Software</P> <UL> <LI>Windows Server 2012 </LI> <LI>Splunk Universal Forwarder 6.2.2</LI> </UL> <P>More information in Microsoft KB article: </P> <UL> <LI>Event log message indicates that the Windows Installer reconfigured all installed applications: <A href="https://support.microsoft.com/en-us/kb/974524">https://support.microsoft.com/en-us/kb/974524</A></LI> </UL> Fri, 29 May 2015 16:13:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-Splunk-is-generating-Eventcode-1035/m-p/125844#M25945 jberd126 2015-05-29T16:13:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-Splunk-is-generating-Eventcode-1035/m-p/125845#M25946 <P>This problem was fixed in Splunk 6.3.0. I've personally verified it with Splunk 6.3.2 Universal Forwarder.</P> Wed, 06 Jan 2016 20:52:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-Splunk-is-generating-Eventcode-1035/m-p/125845#M25946 jberd126 2016-01-06T20:52:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-Splunk-is-generating-Eventcode-1035/m-p/125846#M25947 <P>Note that the every 10 minutes issue for us appears to be tied to WinHostMon stanzas. The default interval for WinHostMon is every 10 minutes. Procmon is currently set to every 1 minute for us so I don't believe this to be causing the issue.</P> Thu, 28 Jan 2016 16:06:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-Splunk-is-generating-Eventcode-1035/m-p/125846#M25947 fairje 2016-01-28T16:06:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-Splunk-is-generating-Eventcode-1035/m-p/125847#M25948 <P>I have same problem. Applications Event logs are filled with multiple events with id 1035 generated by MsiInstaller. I upgraded Splunk from 7.0.0 to 7.3.1, still no use. We are running on Windows Server 2016. Any help would be much appreciated. Thanks in advance.</P> Wed, 07 Aug 2019 10:22:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-Splunk-is-generating-Eventcode-1035/m-p/125847#M25948 mahantdesai 2019-08-07T10:22:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-Splunk-is-generating-Eventcode-1035/m-p/125848#M25949 <P>We have problem with splunk generating multiple events with event id 1035 generated by MsiInstaller. I have upgraded Splunk from 7.0.0 to 7.3.1, still no use. We are running on Windows Server 2016. Any help would be much appreciated. Thanks in advance.</P> Wed, 07 Aug 2019 10:24:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-Splunk-is-generating-Eventcode-1035/m-p/125848#M25949 mahantdesai 2019-08-07T10:24:13Z