Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ٍError "Splunk could not get the description for this event " in the message field

fahimeh
Explorer
‎09-18-2024 12:54 AM

Hello,
Some of the logs coming from the Windows Universal Forwarder to Splunk show the following error in the message field for certain events:
"Splunk could not get the description for this event."

I have reviewed
[https://community.splunk.com/t5/Getting-Data-In/Why-quot-FormatMessage-error-quot-appears-in-indexed...
, but it doesn't solve the issue, as this problem only occurs for a few specific events at specific times. I am using Splunk version 9.2.

What could be the issue?

Labels (2)
Labels
0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
‎02-04-2025 06:53 AM

Try 

https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-descrip...

0 Karma
Reply

fahimeh
Explorer
‎09-22-2024 09:59 PM

hi @gcusello 

No, I use the classic format

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-18-2024 01:24 AM

Hi @fahimeh ,

are you using xml or classif format?

if xml, try using the classic format adding renderXML=0 to the inputs.conf.

Ciao.

Giuseppe

0 Karma
Reply

fahimeh
Explorer
‎09-22-2024 10:44 PM

hi @gcusello 

No, I use the classic format

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-22-2024 11:20 PM

Hi @fahimeh ,

this is a Splunk maintenad add-on, so you can open a case to Splunk Support.

Without accessing your system it's hard to identify the issue.

Ciao.

Giuseppe

0 Karma
Reply

fahimeh
Explorer
‎09-23-2024 02:29 AM

pastedImage.jpg

 

The error message is generated only for these specific event codes

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-23-2024 05:37 AM

Hi @fahimeh ,

are you sure that it's a Splunk issue and not a Windows issue?

Anyway, open a case to Splunk Support.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...