Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Universal Forwarder stopped working

sbattista09
Contributor
‎09-04-2014 08:17 AM

On one of our Universal Forwarders the splunkd service stopped running. I was able to restart it and it is now working fine. I was hoping that someone could tell me something about the error i found in the log below, I couldn't find anything searching Google. 

Pipeline data does not have indexKey. [_path] = C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe\n[_raw] = \n[_stmid] = PT/PkkspoIEF8gHDF\n[MetaData:Source] = source::WinEventLog\n[MetaData:Host] = host::XXXX\n[MetaData:Sourcetype] = sourcetype::WinEventLog\n[_done] = _done\n[_conf] = source::WinEventLog|host::XXXX|WinEventLog|0\n[_channel] = 0\n
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-04-2014 10:14 AM

Essentially, it means the 'modular input' that gathers Windows Event Log data sent in an event that did not say what index it was for.

Since all inputs (scripted, modular, file monitors, etc) are supposed to tell the splunk data processing pipeline what index their data should land in, this is considered an error.

Most likely (no promises) this is an error in Splunk-provided code, and not a configuration or user error. It seems unlikely that it relates to the service ceasing to run, though it is possible. Splunkd has handled data with no index key many times in the past without crashing.

Essentially this is really a technical support problem, though if the misbehavior was a one-off it may be difficult to gain traction / not necessarily worth your time to work through.

View solution in original post

Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-04-2014 10:14 AM

Essentially, it means the 'modular input' that gathers Windows Event Log data sent in an event that did not say what index it was for.

Since all inputs (scripted, modular, file monitors, etc) are supposed to tell the splunk data processing pipeline what index their data should land in, this is considered an error.

Most likely (no promises) this is an error in Splunk-provided code, and not a configuration or user error. It seems unlikely that it relates to the service ceasing to run, though it is possible. Splunkd has handled data with no index key many times in the past without crashing.

Essentially this is really a technical support problem, though if the misbehavior was a one-off it may be difficult to gain traction / not necessarily worth your time to work through.

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...