Getting Data In

Splunk Universal Forwarder stopped working

sbattista09
Contributor

On one of our Universal Forwarders the splunkd service stopped running. I was able to restart it and it is now working fine. I was hoping that someone could tell me something about the error i found in the log below, I couldn't find anything searching Google.

Pipeline data does not have indexKey. [_path] = C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe\n[_raw] = \n[_stmid] = PT/PkkspoIEF8gHDF\n[MetaData:Source] = source::WinEventLog\n[MetaData:Host] = host::XXXX\n[MetaData:Sourcetype] = sourcetype::WinEventLog\n[_done] = _done\n[_conf] = source::WinEventLog|host::XXXX|WinEventLog|0\n[_channel] = 0\n
1 Solution

jrodman
Splunk Employee
Splunk Employee

Essentially, it means the 'modular input' that gathers Windows Event Log data sent in an event that did not say what index it was for.

Since all inputs (scripted, modular, file monitors, etc) are supposed to tell the splunk data processing pipeline what index their data should land in, this is considered an error.

Most likely (no promises) this is an error in Splunk-provided code, and not a configuration or user error. It seems unlikely that it relates to the service ceasing to run, though it is possible. Splunkd has handled data with no index key many times in the past without crashing.

Essentially this is really a technical support problem, though if the misbehavior was a one-off it may be difficult to gain traction / not necessarily worth your time to work through.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

Essentially, it means the 'modular input' that gathers Windows Event Log data sent in an event that did not say what index it was for.

Since all inputs (scripted, modular, file monitors, etc) are supposed to tell the splunk data processing pipeline what index their data should land in, this is considered an error.

Most likely (no promises) this is an error in Splunk-provided code, and not a configuration or user error. It seems unlikely that it relates to the service ceasing to run, though it is possible. Splunkd has handled data with no index key many times in the past without crashing.

Essentially this is really a technical support problem, though if the misbehavior was a one-off it may be difficult to gain traction / not necessarily worth your time to work through.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...