Has any one come across the following error and if any fix worked without reinstalling the forwarder..?
The SplunkForwarder service on Local
Computer started and then stopped.
Some services stop automatically if
they are not in use by other services
yes, unfortunately the only solution we have found is to reboot the server. We are still looking for a better solution.
It was a bug, after upgrading to newer version it was fixed.
which version was this fixed in? It recently occurred on a Windows server with version 7.2.1
Windows doesn't provide much detail in that error message, so it could be a wide variety of things. If Splunk stopped for some reason other than a bug, there should be information in the Splunk service's log. Most of Splunk's internal logging gets sent to a text file rather than the Windows event log.
Look in C:/Program Files/Splunk/var/log/splunkd.log (slashes reversed so they show up in this editor)
There's a good chance it will have logged an error indicating what went wrong. You may want to move/rename the file and try starting Splunk again so that you have only one startup attempt in the log, making it easier to read.
If Splunk experienced a hard crash, there should be also be a crashdump file in that same folder.
I don't see any logs making entry in splunkd.log.. i think because splunk is not even starting hence there is no logging activity taking place. i was expecting crashdump log but unfortunately i don't even see that..
After researching on web, i don't see the resolutions works for me. as service properties are already mapped with Local System Account. Have sufficient storage available on the drives. Also Event Viewer only shows error for Service Failed. The resolution i strongly feel is to reinstall. but i need to find RCA before i do that..
were you able to find the root cause
You can go to the services.msc from run, and see what user is present for that service that you have created. I believe it should be "Local System Account"
Yes, its Local System Account