Re: Introspecting scheme=WinEventLog: killing proc...

thy666 · ‎11-05-2017

I met an error to start collecting WinEventLog when starting Universal Forwarder 6.6.2 on Windows Server 2008R2(x64). The streamfwd.exe worked well on the same host. Do you have same situation, and idea?

10-29-2017 19:38:05.421 +0900 ERROR ModularInputs - Unable to initialize modular input "WinEventLog" defined in the system context: Introspecting scheme=WinEventLog: script running failed (exited with code 0).
10-29-2017 19:38:05.156 +0900 ERROR ModularInputs - Introspecting scheme=WinEventLog: killing process, because executing it took too long (over 30000 msecs).

mbadhusha_splun · ‎11-27-2018

Disable all other stanzas. Leave only the affected stanza enabled.
Run the input from the command line to see if it can read events. $ splunk cmd splunkd print-modinput-config WinEventLog | splunk-WinEvtLog.exe
Remove the checkpoint file (make a copy of it first) and restart Splunk service.
Run the input again to see if it can read events.

If this is because of the checkpoint file, step 2 will not produce events. Step 4 should produce events.

On the UF, run command prompt as administrator
Navigate to $SPLUNK_HOME\bin
Run the below two commands,

$ set SPLUNK_HOME="c:\program files\SplunkUniversalForwarder"

$ splunk cmd splunkd print-modinput-config WinEventLog

You can consider upgrading the affected Splunk UF's as well.

Cheers!

Introspecting scheme=WinEventLog: killing process, because executing it took too long

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation