Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- UF 6.0.2 on Windows 2008 R2: could not get descrip...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see this was a known issue with older versions of the Universal Forwarder but I keep getting these error messages on fresh installs using version 6.0.2:
"Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt."
This seems to happen mostly for System events and sporadically for Application events. The other event types appear to be OK.
If it makes any difference, the indexer is running 6.0.2 on Linux.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you'd be willing to turn on debug tracing, we may be able to help one another get to the bottom of this. Turning on debug may make the splunkd.log file chatty. When a Windows event fails the FormatMessage() call (http://msdn.microsoft.com/en-us/library/windows/desktop/ms679351(v=vs.85).aspx), if debug is enabled, we will log a message to what the Windows error is.
To turn on debug tracing, you will need to modify two .cfg files:
log.cfg and log-cmdline.cfg, both found in splunk's etc subdirectory.
In log.cfg, change category.ExecProcessor=INFO to category.ExecProcessor=DEBUG
In log-cmdline.cfg add category.splunk-winevtlog=DEBUG
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you'd be willing to turn on debug tracing, we may be able to help one another get to the bottom of this. Turning on debug may make the splunkd.log file chatty. When a Windows event fails the FormatMessage() call (http://msdn.microsoft.com/en-us/library/windows/desktop/ms679351(v=vs.85).aspx), if debug is enabled, we will log a message to what the Windows error is.
To turn on debug tracing, you will need to modify two .cfg files:
log.cfg and log-cmdline.cfg, both found in splunk's etc subdirectory.
In log.cfg, change category.ExecProcessor=INFO to category.ExecProcessor=DEBUG
In log-cmdline.cfg add category.splunk-winevtlog=DEBUG
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm unable to turn on debugging right at this moment but will do so at the first opportunity. Thanks for the tip, I have awarded a point and accepted this as an answer for now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get the partial event with EventID, Type, LogName etc, but the Message field just contains "could not get description for this event". According to Microsoft, this means the necessary DLL files and/or registry keys for the application that generated the event are unavailable but as the events are logged on the local machine that's obviously not the case. The events in question show perfectly fine in the Event Log viewer. Thus, the only possible explanation is that the UF failed to get the message text for some reason or another. I have spent quite a few hours lately trying to figure out the inner workings of Event Logs and the API is a complete mess.
Now... not for one second will I blame Splunk for not getting this crap to work.
Everyone else in the whole world has been using text logs since the 60's so obviously Microsoft had to "innovate" a log system so bloated, complicated, fragile and brain damaged it can't be used for any real life purpose whatsoever. The only almost reliable way to wrest the logs out of this monster is by the use of Powershell. Just don't expect to be able to run anything else on that server.
I'll stop ranting and go home now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having a similar issue with receiving events from a 2008R2 UF. Example, ColdFusion sourcetype yeilds the following:
Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt. FormatMessage error: Got the following information from this event: ColdFusion 9 ODBC Server@LOCALHOST,ErrorCode=2310,ErrorMessage=TCP/IP, connection reset by peer.
How can I fix the formatting issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The event rendering takes place on the forwarder. Once the event is rendered, it doesn't get annotated or modified in anyway. Do you seen any partial event, or is the event complete hash?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
