Solved: Why Splunk could not get the description for this ...

hrawat · ‎02-06-2023

Issue happens after windows server is restarted. Restarting splunk universal forwarder fixes the issue.

Either the component that raises this event is not installed

hrawat · ‎02-17-2025

Also another workaround https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-descrip...

View solution in original post

hrawat · ‎02-17-2025

Also another workaround https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-descrip...

hrawat · ‎02-06-2023

There are two workarounds.

1. Use 'Delayed Start' for the Splunk Forwarder service. (https://community.splunk.com/t5/Getting-Data-In/Why-quot-FormatMessage-error-quot-appears-in-indexed...). However it's hard to configure thousands of DCs.

2. Configure interval as cron schedule instead.

interval = [<decimal>|<cron schedule>]

[WinEventLog]

interval=* * * * *

By default wineventlog interval is 60 sec. That means as soon as splunk is restarted, wineventlog (or any modinput) is immediately started. Subsequently every 60( configured interval) splunk checks if modinput is still running. If not, re-launch modinput.
Instead of setting interval 60 sec, if we use cron schedule to run every minute, then splunk is not going to launch modinput immediately. So essentially the idea is to convert interval setting from decimal to cron schedule to introduce a delay.

Why Splunk could not get the description for this event?

universal forwarder

Windows

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)