After setting up a universal forwarder and receive...

mr_dombat · ‎11-17-2015

I've set up a universal forwarder on a remote webserver using local system account (Win2008R2 64bit).

I have enabled receiving on the receiver which is using a domain account (Win7 Pro 64bit). It asked to restart Splunk which I did.

The dashboard is now showing:

Error in 'DispatchProcess': Failed to write the info file to C:\Program Files\Splunk\var\run\splunk\dispatch\[lots of letters and numbers]\info.csv

nbjoshi_splunk · ‎11-17-2015

Are you sure you installed the Splunk Universal Forwarder and not a full Splunk installation? I would expect the directory to be C:\Program Files\SplunkUniversalForwarder....

In regards to your error, you might have some old erroneous results stored in the dispatch directory. You can manually clear out the "[lots of letters and numbers]" directory and restart Splunk and this should resolve the issue.

mr_dombat · ‎11-18-2015

The error message was manifesting itself in the full splunk.

On the indexer/receiver I deleted the files as requested it made no difference.

I changed the two services to run as interactive desktop enabled LocalService and restarted splunk, same messages.

I checked permissions on the folder(s) and added my domain and localsevice both as Full control, restarted, same messages.

I uninstalled Splunk, cleaned the registry using CCLeaner, rebooted, reinstalled using Local account (default setting) and it seems OK now.

Not getting anything from my forwarders still but that is a different question.

After setting up a universal forwarder and receiver on Windows, why am I getting "Error in 'DispatchProcess': Failed to write the info file to C:\Program Files\Splunk\var\run\splunk\dispatch\[lots of letters and numbers]\info.csv"?

Data Preparation Made Easy: SPL2 for Edge Processor

Introducing Edge Processor: Next Gen Data Transformation

Tips & Tricks When Using Ingest Actions