Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Universal Forwarder stopped working

sbattista09
Contributor
‎09-04-2014 08:17 AM

On one of our Universal Forwarders the splunkd service stopped running. I was able to restart it and it is now working fine. I was hoping that someone could tell me something about the error i found in the log below, I couldn't find anything searching Google. 

Pipeline data does not have indexKey. [_path] = C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe\n[_raw] = \n[_stmid] = PT/PkkspoIEF8gHDF\n[MetaData:Source] = source::WinEventLog\n[MetaData:Host] = host::XXXX\n[MetaData:Sourcetype] = sourcetype::WinEventLog\n[_done] = _done\n[_conf] = source::WinEventLog|host::XXXX|WinEventLog|0\n[_channel] = 0\n
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-04-2014 10:14 AM

Essentially, it means the 'modular input' that gathers Windows Event Log data sent in an event that did not say what index it was for.

Since all inputs (scripted, modular, file monitors, etc) are supposed to tell the splunk data processing pipeline what index their data should land in, this is considered an error.

Most likely (no promises) this is an error in Splunk-provided code, and not a configuration or user error. It seems unlikely that it relates to the service ceasing to run, though it is possible. Splunkd has handled data with no index key many times in the past without crashing.

Essentially this is really a technical support problem, though if the misbehavior was a one-off it may be difficult to gain traction / not necessarily worth your time to work through.

View solution in original post

Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-04-2014 10:14 AM

Essentially, it means the 'modular input' that gathers Windows Event Log data sent in an event that did not say what index it was for.

Since all inputs (scripted, modular, file monitors, etc) are supposed to tell the splunk data processing pipeline what index their data should land in, this is considered an error.

Most likely (no promises) this is an error in Splunk-provided code, and not a configuration or user error. It seems unlikely that it relates to the service ceasing to run, though it is possible. Splunkd has handled data with no index key many times in the past without crashing.

Essentially this is really a technical support problem, though if the misbehavior was a one-off it may be difficult to gain traction / not necessarily worth your time to work through.

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...