https://community.splunk.com/t5/Splunk-Search/Windows-Events-with-Null-Message/m-p/88943#M22770 <P>Splunk is reporting a majority of my windows events are being returned with "Null" in the message field. However, When I review the same message on the server on which the message occurred, there is information in the eventdata field. </P> Tue, 26 Apr 2011 14:05:15 GMT richnavis 2011-04-26T14:05:15Z https://community.splunk.com/t5/Splunk-Search/Windows-Events-with-Null-Message/m-p/88943#M22770 <P>Splunk is reporting a majority of my windows events are being returned with "Null" in the message field. However, When I review the same message on the server on which the message occurred, there is information in the eventdata field. </P> Tue, 26 Apr 2011 14:05:15 GMT https://community.splunk.com/t5/Splunk-Search/Windows-Events-with-Null-Message/m-p/88943#M22770 richnavis 2011-04-26T14:05:15Z https://community.splunk.com/t5/Splunk-Search/Windows-Events-with-Null-Message/m-p/88944#M22771 <P>I think this is related to this bug:<BR /> The Message field is not extracted and is therefore missing from imported Windows event log file (.evt) data. (SPL-24947) (the list of known issues are located <A href="http://www.splunk.com/base/Documentation/latest/ReleaseNotes/Knownissues">here</A>)</P> <P>From what I understand that this is a troublesome bug which resides mostly on Microsoft's side.</P> Tue, 26 Apr 2011 14:46:07 GMT https://community.splunk.com/t5/Splunk-Search/Windows-Events-with-Null-Message/m-p/88944#M22771 Brian_Osburn 2011-04-26T14:46:07Z https://community.splunk.com/t5/Splunk-Search/Windows-Events-with-Null-Message/m-p/88945#M22772 <P>Figured it out.. Needed to restart SplunkD to establish new connection to windows servers.</P> Mon, 02 May 2011 14:40:16 GMT https://community.splunk.com/t5/Splunk-Search/Windows-Events-with-Null-Message/m-p/88945#M22772 richnavis 2011-05-02T14:40:16Z https://community.splunk.com/t5/Splunk-Search/Windows-Events-with-Null-Message/m-p/88946#M22773 <P>Could also restart WMI service on the windows servers to reset the WMI connection</P> Mon, 09 May 2011 16:53:52 GMT https://community.splunk.com/t5/Splunk-Search/Windows-Events-with-Null-Message/m-p/88946#M22773 richnavis 2011-05-09T16:53:52Z https://community.splunk.com/t5/Splunk-Search/Windows-Events-with-Null-Message/m-p/88947#M22774 <P>To restart the WMI Service:</P> <PRE><CODE>net stop winmgmt net start winmgmt </CODE></PRE> <P><A href="https://msdn.microsoft.com/en-us/library/aa826517%28v=vs.85%29.aspx">Link</A></P> Tue, 10 Feb 2015 09:13:30 GMT https://community.splunk.com/t5/Splunk-Search/Windows-Events-with-Null-Message/m-p/88947#M22774 bjoernjensen 2015-02-10T09:13:30Z