Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Universal Forwarder stopped working

sbattista09
Contributor
‎09-04-2014 08:17 AM

On one of our Universal Forwarders the splunkd service stopped running. I was able to restart it and it is now working fine. I was hoping that someone could tell me something about the error i found in the log below, I couldn't find anything searching Google. 

Pipeline data does not have indexKey. [_path] = C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe\n[_raw] = \n[_stmid] = PT/PkkspoIEF8gHDF\n[MetaData:Source] = source::WinEventLog\n[MetaData:Host] = host::XXXX\n[MetaData:Sourcetype] = sourcetype::WinEventLog\n[_done] = _done\n[_conf] = source::WinEventLog|host::XXXX|WinEventLog|0\n[_channel] = 0\n
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-04-2014 10:14 AM

Essentially, it means the 'modular input' that gathers Windows Event Log data sent in an event that did not say what index it was for.

Since all inputs (scripted, modular, file monitors, etc) are supposed to tell the splunk data processing pipeline what index their data should land in, this is considered an error.

Most likely (no promises) this is an error in Splunk-provided code, and not a configuration or user error. It seems unlikely that it relates to the service ceasing to run, though it is possible. Splunkd has handled data with no index key many times in the past without crashing.

Essentially this is really a technical support problem, though if the misbehavior was a one-off it may be difficult to gain traction / not necessarily worth your time to work through.

View solution in original post

Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-04-2014 10:14 AM

Essentially, it means the 'modular input' that gathers Windows Event Log data sent in an event that did not say what index it was for.

Since all inputs (scripted, modular, file monitors, etc) are supposed to tell the splunk data processing pipeline what index their data should land in, this is considered an error.

Most likely (no promises) this is an error in Splunk-provided code, and not a configuration or user error. It seems unlikely that it relates to the service ceasing to run, though it is possible. Splunkd has handled data with no index key many times in the past without crashing.

Essentially this is really a technical support problem, though if the misbehavior was a one-off it may be difficult to gain traction / not necessarily worth your time to work through.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...